CVE-2026-33020Heap-based Buffer Overflow in Libsixel

CWE-122Heap-based Buffer OverflowCWE-190Integer Overflow or Wraparound6 documents5 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 97.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Saitoha Libsixel
Timeline
PublishedApr 14
Latest updateApr 17

Description

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c, where allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) are performed using int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, the overflow produces an undersized heap allocation for the conversion buffe

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages1 packages

CVEListV5saitoha/libsixel< 1.8.7-r1

🔴Vulnerability Details

2
VulDB
saitoha libsixel up to 1.8.6 SIXEL Encoder sixel_frame_convert_to_rgb888 heap-based overflow (Nessus ID 306636)2026-04-17
CVEList
libsixel: Integer Overflow in write_png_to_file() leads to Heap-based Buffer Overflow2026-04-14

📋Vendor Advisories

1
Red Hat
libsixel: libsixel: Arbitrary code execution via crafted palettised PNG image processing2026-04-14

💬Community

2
Bugzilla
CVE-2026-33020 libsixel: libsixel: Arbitrary code execution via crafted palettised PNG image processing [fedora-all]2026-04-15
Bugzilla
CVE-2026-33020 libsixel: libsixel: Arbitrary code execution via crafted palettised PNG image processing2026-04-14
CVE-2026-33020 — Heap-based Buffer Overflow in Libsixel | cvebase