PT-2026-41033 · Libsixel · Libsixel

Aitoha

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-44637

CVSS v3.1

7.1

High

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions libsixel versions prior to 1.8.7-r2
Description A signed integer overflow exists in the SIXEL parser's image-buffer doubling loop. The context->pos x variable increases by repeat count for every sixel character without an upper bound check. When pos x approaches INT MAX, the expression pos x + repeat count used to size the image buffer overflows. This can bypass the resize check intended to reject oversized buffers, allowing a subsequent write to use a large attacker-influenced offset in image->data and write past the allocation. This issue is reachable via any caller that decodes attacker-supplied SIXEL data, such as img2sixel, and occurs within the sixel decode raw impl() function.
Recommendations Update to version 1.8.7-r2.

Exploit

Fix

Memory Corruption

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44637
GHSA-9JM7-77GR-QGHV

Affected Products

Libsixel