CVE-2026-33019
Published: 14 April 2026
Summary
CVE-2026-33019 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Saitoha Libsixel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-33019 affects libsixel, a SIXEL encoder/decoder implementation derived from kmiya's sixel, in versions 1.8.7 and prior. The vulnerability is an integer overflow in the --crop option handling of the img2sixel tool, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. Specifically, in sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, bypassing the bounds guard. This unclamped coordinate propagates through sixel_frame_clip() to clip(), computing a source pointer far beyond the image buffer and passing it to memmove(), resulting in an out-of-bounds heap read. The issue is classified under CWE-125 (Out-of-bounds Read) and CWE-190 (Integer Overflow or Wraparound), with a CVSS v3.1 base score of 7.1.
A local attacker can exploit this vulnerability by supplying a specially crafted crop argument alongside any valid image to img2sixel. Exploitation requires low complexity and user interaction, such as tricking a user into processing the image with the malicious --crop parameters, but no privileges are needed. Successful exploitation triggers a reliable crash for denial-of-service and enables potential information disclosure via the out-of-bounds heap read, with high impact on confidentiality and availability but no integrity impact.
The GitHub security advisory (GHSA-c854-ffg9-g72c) and release notes for v1.8.7-r1 confirm the issue has been fixed in libsixel version 1.8.7-r1, recommending users update to this patched release to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22742
Vulnerability details
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without…
more
overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in CLI image tool is triggered via user interaction with malicious command-line arguments on a valid image file (T1204.002); exploitation of the integer overflow produces a reliable process crash, matching application exploitation for DoS (T1499.004). No code execution or remote vector is present.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the integer overflow vulnerability in libsixel by requiring timely patching to version 1.8.7-r1, preventing the out-of-bounds heap read.
Validates input parameters like crop coordinates before passing to img2sixel, preventing supply of overflow-inducing values such as INT_MAX.
Implements memory safeguards like heap canaries and randomization to mitigate exploitation of the out-of-bounds heap read, causing early crashes or hindering info disclosure.