{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33021", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.667Z", "datePublished": "2026-04-14T21:57:22.817Z", "dateUpdated": "2026-04-14T21:57:22.817Z"}, "containers": {"cna": {"title": "libsixel: Use-after-free in sixel_encoder_encode_bytes()", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/saitoha/libsixel/security/advisories/GHSA-j6m5-2cc7-3whc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-j6m5-2cc7-3whc"}, {"name": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "tags": ["x_refsource_MISC"], "url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1"}], "affected": [{"vendor": "saitoha", "product": "libsixel", "versions": [{"version": "< 1.8.7-r1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:57:22.817Z"}, "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1."}], "source": {"advisory": "GHSA-j6m5-2cc7-3whc", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1."}], "id": "CVE-2026-33021", "lastModified": "2026-04-14T23:16:27.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T23:16:27.660", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1"}, {"source": "security-advisories@github.com", "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-j6m5-2cc7-3whc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "libsixel: libsixel: Use-after-free vulnerability allows for potential code execution via premature pixel buffer freeing.", "id": "2458527", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458527"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in libsixel, a SIXEL encoder/decoder implementation. An attacker who controls incoming frames can exploit a use-after-free vulnerability. This occurs because a caller-owned pixel buffer is prematurely freed during a resize operation, leaving a dangling pointer. This can lead to a reliable crash and has the potential for arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, applications that utilize libsixel for processing SIXEL image data should avoid handling untrusted or unverified input. Implementing sandboxing mechanisms for applications that use libsixel can further restrict the potential impact of successful exploitation. If the vulnerable component is part of a service, a restart or service reload may be required for any configuration changes to take effect."}, "name": "CVE-2026-33021", "public_date": "2026-04-14T21:57:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33021\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33021\nhttps://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1\nhttps://github.com/saitoha/libsixel/security/advisories/GHSA-j6m5-2cc7-3whc"], "statement": "This is an Important use-after-free vulnerability in libsixel, a SIXEL encoder/decoder library. The flaw allows an attacker to trigger a reliable crash and potentially execute arbitrary code by providing specially crafted incoming frames. Red Hat products that process untrusted SIXEL image data using libsixel are susceptible to this issue.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.7-r1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "libsixel", "source": "cna", "vendor": "saitoha"}, "product": "libsixel", "vendor": "saitoha"}], "analysis": {"en": {"generated_at": "2026-04-15T14:21:03.185080+00:00", "value": {"mitigation_remediation": ["Upgrade the libsixel package to version 1.8.7\u2011r1 or later, which copies pixel buffers internally and addresses CWE\u2011416 and CWE\u2011825.", "Ensure that any caller\u2011owned buffers passed to sixel_encoder_encode_bytes() are not freed by the library by audit or by avoiding passing external buffers if they might be freed during conversion.", "Validate all incoming SIXEL frames before encoding; reject frames with unexpected size or content, and use safe parsing to mitigate the use\u2011after\u2011free condition."], "summary": {"action": "Patch", "impact": "Use\u2011after\u2011FREE potentially leading to crash or execution"}, "threat_synthesis": {"affected_systems": "The saitoha:libsixel packages up to and including 1.8.7 are affected. The release 1.8.7\u2011r1 resolves the issue by making a defensive copy of pixel data, eliminating the dangling pointer.", "description_and_impact": "libsixel, a SIXEL encoder/decoder, has a use\u2011after\u2011free flaw in sixel_encoder_encode_bytes() for versions 1.8.7 and earlier. The flaw occurs because sixel_frame_init() stores a caller\u2011owned pixel buffer directly without copying, and a subsequent resize triggers sixel_frame_convert_to_rgb888() to free that external buffer, leaving a dangling pointer. If the caller then accesses the original buffer, a crash occurs. The vendor\u2019s AddressSanitizer testing indicates that repeated, predictable triggering could also enable code execution, although this is not a confirmed remote code execution vulnerability.", "risk_and_exploitability": "With a CVSS score of 7.3, the vulnerability is considered high severity. The EPSS score is under 1%, suggesting a low probability of opportunistic exploitation, and it is not listed in CISA\u2019s KEV catalog. An attacker who can supply crafted SIXEL frames can reliably trigger the flaw, causing crashes or possibly execution, especially in untrusted input scenarios. Overall, the risk warrants prompt remediation."}}}}, "created": "2026-04-15T13:48:23.617704+00:00", "updated": "2026-04-15T14:31:57.026348+00:00", "vendors": ["saitoha", "saitoha$PRODUCT$libsixel"]}