{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33019", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.667Z", "datePublished": "2026-04-14T21:49:25.204Z", "dateUpdated": "2026-04-15T20:02:46.628Z"}, "containers": {"cna": {"title": "libsixel: Integer overflow leads to Out-of-bounds Read in img2sixel", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c"}, {"name": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "tags": ["x_refsource_MISC"], "url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1"}], "affected": [{"vendor": "saitoha", "product": "libsixel", "versions": [{"version": "< 1.8.7-r1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:49:25.204Z"}, "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1."}], "source": {"advisory": "GHSA-c854-ffg9-g72c", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:54:19.432280Z", "id": "CVE-2026-33019", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:02:46.628Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33019", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:54:19.432280Z"}}}], "references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:54:38.859Z"}}], "cna": {"title": "libsixel: Integer overflow leads to Out-of-bounds Read in img2sixel", "source": {"advisory": "GHSA-c854-ffg9-g72c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "saitoha", "product": "libsixel", "versions": [{"status": "affected", "version": "< 1.8.7-r1"}]}], "references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c", "name": "https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "name": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:49:25.204Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33019", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:02:46.628Z", "dateReserved": "2026-03-17T17:22:14.667Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T21:49:25.204Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E16EAA6A-544F-4D16-829D-1B7C9979EA6A", "versionEndExcluding": "1.8.7-r1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1."}], "id": "CVE-2026-33019", "lastModified": "2026-04-23T14:47:42.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T22:16:30.380", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "libsixel: libsixel: Denial of Service and Information Disclosure via integer overflow in crop option", "id": "2458501", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458501"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in libsixel. An attacker can trigger an integer overflow in the image processing component, img2sixel, by supplying a specially crafted crop argument. This vulnerability leads to an out-of-bounds memory read, which can cause the application to crash, resulting in a Denial of Service, and potentially expose sensitive information."], "mitigation": {"lang": "en:us", "value": "The vulnerability in `libsixel`'s `img2sixel` utility is triggered by processing untrusted input via the `--crop` option. To mitigate this, avoid using `img2sixel` with untrusted or unvalidated input. Restrict execution of `img2sixel` to trusted users and environments where input can be controlled."}, "name": "CVE-2026-33019", "public_date": "2026-04-14T21:49:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33019\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33019\nhttps://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1\nhttps://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c"], "statement": "Important: A flaw in libsixel allows an attacker to trigger an integer overflow in the img2sixel component by providing a specially crafted crop argument. This can lead to an out-of-bounds memory read, causing a Denial of Service and potential information disclosure. Red Hat products utilizing libsixel for image processing, particularly with the img2sixel utility and its crop functionality, may be affected if processing untrusted input.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.7-r1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "libsixel", "source": "cna", "vendor": "saitoha"}, "product": "libsixel", "vendor": "saitoha"}], "analysis": {"en": {"generated_at": "2026-04-14T23:25:36.795192+00:00", "value": {"mitigation_remediation": ["Upgrade libsixel to version 1.8.7\u2011r1 or newer, which contains the patch for the integer overflow.", "If an upgrade is not immediately possible, completely disable or remove usage of the --crop option when invoking img2sixel, or replace it with a validated wrapper that rejects coordinates outside the image bounds.", "Validate any externally supplied crop coordinates before passing them to img2sixel to ensure they are within the image dimensions, thereby preventing the overflow."], "summary": {"action": "Patch Now", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the libsixel library version 1.8.7 and earlier distributed by saitoha. Any system that runs the img2sixel tool with the --crop parameter and provides a crafted coordinate can be impacted.", "description_and_impact": "A bug in libsixel's img2sixel command causes an integer overflow when processing the --crop option. Positive coordinates up to INT_MAX are accepted without safe bounds checks, leading to a negative width calculation that skips the bounds guard. The resulting out\u2011of\u2011bounds read occurs during a memmove, causing a crash and exposing data from the heap. The flaw can disclose sensitive information present in the process memory. This is a classic out\u2011of\u2011bounds read (CWE\u2011125) exacerbated by an integer overflow (CWE\u2011190).", "risk_and_exploitability": "The CVSS base score is 7.1, indicating high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to supply a specially crafted crop argument, which is typically a local user or a process that controls input to img2sixel. Based on the description, the attack vector is inferred to be local; there is no evidence of remote exploitation via network interfaces. The vulnerability is exploitable when input validation is bypassed, making it a reliable crash with the potential to leak memory contents."}}}}, "created": "2026-04-15T13:48:23.621408+00:00", "updated": "2026-04-15T14:31:57.031049+00:00", "vendors": ["saitoha", "saitoha$PRODUCT$libsixel"]}