{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33018", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.666Z", "datePublished": "2026-04-14T21:45:42.261Z", "dateUpdated": "2026-04-16T13:53:25.060Z"}, "containers": {"cna": {"title": "libsixel: Use-After-Free in load_gif()", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/saitoha/libsixel/security/advisories/GHSA-w46f-jr9f-rgvp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-w46f-jr9f-rgvp"}, {"name": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "tags": ["x_refsource_MISC"], "url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1"}], "affected": [{"vendor": "saitoha", "product": "libsixel", "versions": [{"version": "< 1.8.7-rc1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:45:42.261Z"}, "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1."}], "source": {"advisory": "GHSA-w46f-jr9f-rgvp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:52:34.921283Z", "id": "CVE-2026-33018", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:53:25.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33018", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T13:52:34.921283Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:53:05.842Z"}}], "cna": {"title": "libsixel: Use-After-Free in load_gif()", "source": {"advisory": "GHSA-w46f-jr9f-rgvp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "saitoha", "product": "libsixel", "versions": [{"status": "affected", "version": "< 1.8.7-rc1"}]}], "references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-w46f-jr9f-rgvp", "name": "https://github.com/saitoha/libsixel/security/advisories/GHSA-w46f-jr9f-rgvp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "name": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:45:42.261Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33018", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:53:25.060Z", "dateReserved": "2026-03-17T17:22:14.666Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T21:45:42.261Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E16EAA6A-544F-4D16-829D-1B7C9979EA6A", "versionEndExcluding": "1.8.7-r1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1."}], "id": "CVE-2026-33018", "lastModified": "2026-04-23T14:48:09.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T22:16:30.213", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-w46f-jr9f-rgvp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "libsixel: libsixel: Arbitrary code execution via Use-After-Free in GIF processing", "id": "2458497", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458497"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in libsixel, a SIXEL encoder/decoder implementation. This Use-After-Free vulnerability occurs when processing specially crafted animated Graphics Interchange Format (GIF) files. A remote attacker could exploit this by providing a malicious multi-frame GIF, causing the application to reuse a memory object incorrectly. This can lead to a denial of service due to a crash and potentially enable arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33018", "public_date": "2026-04-14T21:45:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33018\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33018\nhttps://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1\nhttps://github.com/saitoha/libsixel/security/advisories/GHSA-w46f-jr9f-rgvp"], "statement": "The vulnerability in libsixel, rated Important, allows for arbitrary code execution or denial of service when processing specially crafted animated GIF files. Red Hat products utilizing libsixel to process multi-frame animated GIFs via the `sixel_helper_load_image_file()` function with a multi-frame callback are affected. This issue arises from incorrect memory object reuse, leading to a Use-After-Free condition.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.7-rc1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "libsixel", "source": "cna", "vendor": "saitoha"}, "product": "libsixel", "vendor": "saitoha"}], "analysis": {"en": {"generated_at": "2026-04-15T13:22:58.877432+00:00", "value": {"mitigation_remediation": ["Upgrade libsixel to version 1.8.7-r1 or later, which removes the Use-After-Free by guarding the pixel buffer against unchecked frees.", "If upgrading is not immediately possible, avoid passing animated GIFs to sixel_helper_load_image_file() or bypass the multi\u2011frame callback, ensuring only single\u2011frame images are processed.", "Implement input validation to reject any file with more than one animation frame before invoking the decoder, or sanitize the callback to avoid using intermediate frame buffers after they are freed."], "summary": {"action": "Apply Patch", "impact": "Potential Code Execution via Use-After-Free"}, "threat_synthesis": {"affected_systems": "The library affected is saitoha:libsixel, version 1.8.7 and all earlier releases. The fix was released in version 1.8.7-r1; any application linking against an unpatched library and calling sixel_helper_load_image_file() with a multi\u2011frame callback on user\u2011supplied animated GIFs is impacted.", "description_and_impact": "A Use-After-Free condition arises in the load_gif() function of libsixel when handling animated GIFs. The function reuses a single sixel_frame_t object for each frame and frees its pixel buffer unconditionally, without checking the reference count. When a user-supplied callback follows the documented reference pattern, it may access a dangling pointer after decoding the second frame, which has been confirmed by AddressSanitizer. This leads to a reliable crash and, if an attacker controls memory layout, can be leveraged for arbitrary code execution.", "risk_and_exploitability": "The CVSS score of 7 indicates a high severity, but the EPSS score is unavailable, so current exploitation likelihood is unknown. The vulnerability is not present in CISA\u2019s KEV catalog, implying no confirmed widespread exploitation yet. Attackers would need to supply a malicious animated GIF to a vulnerable application; the use\u2011after\u2011free provides a crash baseline, and if the attacker can influence heap contents, code execution is possible. Successful exploitation typically requires the victim process to have sufficient privileges to compromise the host. The documented usage pattern it straightforward for an attacker to trigger the flaw if they can manipulate the callback."}}}}, "created": "2026-04-15T13:48:23.621739+00:00", "updated": "2026-04-15T14:31:57.031501+00:00", "vendors": ["saitoha", "saitoha$PRODUCT$libsixel"]}