PT-2026-41033 · Libsixel · Libsixel
Aitoha
·
Published
2026-05-14
·
Updated
2026-05-14
·
CVE-2026-44637
CVSS v3.1
7.1
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
libsixel versions prior to 1.8.7-r2
Description
A signed integer overflow exists in the SIXEL parser's image-buffer doubling loop. The
context->pos x variable increases by repeat count for every sixel character without an upper bound check. When pos x approaches INT MAX, the expression pos x + repeat count used to size the image buffer overflows. This can bypass the resize check intended to reject oversized buffers, allowing a subsequent write to use a large attacker-influenced offset in image->data and write past the allocation. This issue is reachable via any caller that decodes attacker-supplied SIXEL data, such as img2sixel, and occurs within the sixel decode raw impl() function.Recommendations
Update to version 1.8.7-r2.
Exploit
Fix
Memory Corruption
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Libsixel