{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33023", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.667Z", "datePublished": "2026-04-14T22:05:31.493Z", "dateUpdated": "2026-04-15T20:02:36.839Z"}, "containers": {"cna": {"title": "libsixel: Use-after-free in load_with_gdkpixbuf()", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6"}, {"name": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "tags": ["x_refsource_MISC"], "url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1"}], "affected": [{"vendor": "saitoha", "product": "libsixel", "versions": [{"version": "< 1.8.7-r1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:05:31.493Z"}, "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1."}], "source": {"advisory": "GHSA-hr25-g2j6-qjw6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:48:25.027963Z", "id": "CVE-2026-33023", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:02:36.839Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33023", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T18:48:25.027963Z"}}}], "references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:53:07.970Z"}}], "cna": {"title": "libsixel: Use-after-free in load_with_gdkpixbuf()", "source": {"advisory": "GHSA-hr25-g2j6-qjw6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "saitoha", "product": "libsixel", "versions": [{"status": "affected", "version": "< 1.8.7-r1"}]}], "references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6", "name": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "name": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:05:31.493Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33023", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:02:36.839Z", "dateReserved": "2026-03-17T17:22:14.667Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T22:05:31.493Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*", "matchCriteriaId": "49AAE0F5-8747-4FA0-9E7F-37FC054A3198", "versionEndIncluding": "1.8.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1."}], "id": "CVE-2026-33023", "lastModified": "2026-04-23T14:46:46.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T23:16:27.820", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "libsixel: libsixel: Code execution via crafted image due to use-after-free vulnerability", "id": "2458523", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458523"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in libsixel, specifically when it is built with the gdk-pixbuf2 option. A remote attacker can exploit a use-after-free vulnerability by supplying a crafted image, which can lead to information disclosure, memory corruption, or arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33023", "public_date": "2026-04-14T22:05:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33023\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33023\nhttps://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1\nhttps://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6"], "statement": "An Important use-after-free flaw exists in libsixel when compiled with the gdk-pixbuf2 option. This vulnerability can be triggered by processing a specially crafted image, potentially leading to information disclosure, memory corruption, or arbitrary code execution in affected Red Hat products that utilize this specific build configuration.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.7-r1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "libsixel", "source": "cna", "vendor": "saitoha"}, "product": "libsixel", "vendor": "saitoha"}], "analysis": {"en": {"generated_at": "2026-04-15T13:51:36.648652+00:00", "value": {"mitigation_remediation": ["Update libsixel to version 1.8.7\u2011r1 or later.", "Rebuild all dependent applications with the updated libsixel library to ensure the use\u2011after\u2011free fix is applied.", "If an upgrade is not immediately possible, disable the gdk\u2011pixbuf2 support or restrict image inputs to trusted sources in applications that use older libsixel."], "summary": {"action": "Patch", "impact": "Use\u2011After\u2011Free that can lead to code execution"}, "threat_synthesis": {"affected_systems": "Products affected are those built with saitoha/libsixel when the --with-gdk-pixbuf2 option is enabled and using version 1.8.7 or earlier. The issue is fixed in release 1.8.7\u2011r1.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free flaw in the load_with_gdkpixbuf() routine of libsixel. The routine frees the internal sixel_frame_t object directly, disregarding its reference count, and clients can release a valid frame reference before the cleanup. When a subsequent access occurs, a dangling pointer is dereferenced, which is confirmed by AddressSanitizer and can result in information disclosure, memory corruption, or arbitrary code execution. The weakness is a classic reference\u2011counting error described by CWE\u2011416 and CWE\u2011825.", "risk_and_exploitability": "The CVSS score is 7.8, indicating a High severity. No EPSS score is available, and the vulnerability is not included in the CISA KEV catalog. An attacker can reliably trigger the flaw by supplying a specially crafted image to any application that loads images via libsixel with gdk\u2011pixbuf2 support, thereby executing the exploit without needing additional privileges."}}}}, "created": "2026-04-15T13:48:23.617360+00:00", "updated": "2026-04-15T14:31:57.025886+00:00", "vendors": ["saitoha", "saitoha$PRODUCT$libsixel"]}