CVE-2026-44636

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, signed integer overflow in sixel_encode_highcolor's allocation size calculation can lead to a heap buffer overflow. The public sixel_encode entry point validates only that width and height are greater than zero, with no upper bound. width and height are multiplied as plain int when computing the allocation size for paletted_pixels and normalized_pixels. Any caller that asks libsixel to encode a pixel buffer with width times height greater than INT_MAX (about 2.15 billion) will hit a wrapped allocation size; under the right wrap, the malloc succeeds with a buffer much smaller than the encoder expects, and the encoder writes past the end of the heap allocation. This vulnerability is fixed in 1.8.7-r2.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.4 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5	Vendor Advisory
https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*

History

16 May 2026, 01:16

Type	Values Removed	Values Added
References	~~() https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5 - Vendor Advisory~~	() https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5 - Vendor Advisory

15 May 2026, 17:56

Type	Values Removed	Values Added
CPE		cpe:2.3:a:saitoha:libsixel::::::::
First Time		Saitoha Saitoha libsixel
References	~~() https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5 -~~	() https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5 - Vendor Advisory

14 May 2026, 20:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-14 20:17

Updated : 2026-05-16 01:16

NVD link : CVE-2026-44636

Mitre link : CVE-2026-44636

CVE.ORG link : CVE-2026-44636

JSON object : View

Products Affected

saitoha

libsixel

CWE

CWE-122

Heap-based Buffer Overflow

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2026-44636", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.4}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-05-14T20:17:08.703", "references": [{"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, signed integer overflow in sixel_encode_highcolor's allocation size calculation can lead to a heap buffer overflow. The public sixel_encode entry point validates only that width and height are greater than zero, with no upper bound. width and height are multiplied as plain int when computing the allocation size for paletted_pixels and normalized_pixels. Any caller that asks libsixel to encode a pixel buffer with width times height greater than INT_MAX (about 2.15 billion) will hit a wrapped allocation size; under the right wrap, the malloc succeeds with a buffer much smaller than the encoder expects, and the encoder writes past the end of the heap allocation. This vulnerability is fixed in 1.8.7-r2."}], "lastModified": "2026-05-16T01:16:16.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8AE0482-C99E-4D5B-84FA-18F9BE7A0C13", "versionEndExcluding": "1.8.7-r2", "versionStartIncluding": "1.4.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}