CVE-2026-33020

Name of the Vulnerable Software and Affected Versions libsixel versions prior to 1.8.7-r1

Description An integer overflow exists in the sixel frame convert to rgb888() function within frame.c. This occurs when allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) use int arithmetic before casting to size t. For images with a pixel count exceeding INT MAX / 4, an undersized heap allocation is created for the conversion buffer and a negative pointer offset is generated for the normalization sub-buffer. Subsequently, the sixel helper normalize pixelformat() function writes full image data starting from the invalid pointer, leading to heap corruption. A specially crafted large palettised PNG can cause a process crash or potential arbitrary code execution.

Recommendations Update to version 1.8.7-r1.