CVE-2026-44637

HIGH EPSS 5.6%
Published May 14, 20261mo ago · Modified Jun 17, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published May 14, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression "pos_x + repeat_count" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize check that should reject oversized buffers can be bypassed, after which a subsequent write computes a large attacker-influenced offset into image->data and writes past the allocation. Reachable from any caller that decodes attacker-supplied SIXEL data, including img2sixel. This vulnerability is fixed in 1.8.7-r2.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
5.6% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 2

CWE-190 Integer Overflow or Wraparound Numeric Error
CWE-787 Out-of-bounds Write Memory Safety

Affected Products 1

VendorProductVersionRange
saitohalibsixel*≥0.11.0  –  <1.8.7-r2

References 1

  • github.com https://github.com/saitoha/libsixel/security/advisories/GHSA-9jm7-77gr-qghv
    ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.