CVE-2026-33023Use After Free in Libsixel

CWE-416Use After FreeCWE-825Expired Pointer Dereference5 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 96.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Saitoha Libsixel
Timeline
PublishedApr 14
Latest updateApr 15

Description

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

CVEListV5saitoha/libsixel< 1.8.7-r1

🔴Vulnerability Details

1
CVEList
libsixel: Use-after-free in load_with_gdkpixbuf()2026-04-14

📋Vendor Advisories

1
Red Hat
libsixel: libsixel: Code execution via crafted image due to use-after-free vulnerability2026-04-14

💬Community

2
Bugzilla
CVE-2026-33023 libsixel: libsixel: Code execution via crafted image due to use-after-free vulnerability [fedora-all]2026-04-15
Bugzilla
CVE-2026-33023 libsixel: libsixel: Code execution via crafted image due to use-after-free vulnerability2026-04-14
CVE-2026-33023 — Use After Free in Saitoha Libsixel | cvebase