CVE-2026-44638

/* * Conceptual PoC for CVE-2026-44638 * This code demonstrates the logic error in libsixel <= 1.8.7-r1. * To actually trigger this, one would need to call the vulnerable library function * in a low-memory environment. */ #include <stdio.h> #include <stdlib.h> #include <string.h> // Simulating the vulnerable logic void vulnerable_decode(char **output, size_t size) { // Allocation happens *output = (char *)malloc(size); // VULNERABLE CHECK: Checks the address of the pointer (output) rather than the value (*output) // In the real bug, it checked the output parameter address. if (&output == NULL) { // This condition is always false printf("Allocation failed detected (impossible path).\n"); return; } // If malloc returned NULL (low memory), this write causes a crash strcpy(*output, "SIXEL DATA"); } int main() { char *data = NULL; // In a real scenario, we would exhaust memory first or pass a huge size // to force malloc to return NULL, then call the library function. // Here we simulate the malloc failure by passing NULL directly to the write logic // for demonstration purposes, as forcing OOM is complex in a snippet. printf("Simulating conditions leading to NULL pointer dereference...\n"); // Forcing the crash scenario for demonstration: char *null_ptr = NULL; // The vulnerable code would do: strcpy(null_ptr, "DATA"); printf("Process would crash here attempting to write to NULL pointer.\n"); return 0; }

{"cve": {"id": "CVE-2026-44638", "sourceIdentifier": "[email protected]", "published": "2026-05-14T20:17:08.983", "lastModified": "2026-05-14T21:21:10.620", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter (always non-NULL) instead of the value the malloc returned. On allocation failure, the function continues and writes through a NULL pointer, crashing the process. This is a denial of service against any caller of these public APIs that hits a low-memory condition. This vulnerability is fixed in 1.8.7-r2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 2.5, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-690"}]}], "references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-wpx3-h5g8-qr3w", "source": "[email protected]"}]}}