Cyber Resilience

CVE-2026-33019

HighPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0001 0.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33019 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Saitoha Libsixel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33019 affects libsixel, a SIXEL encoder/decoder implementation derived from kmiya's sixel, in versions 1.8.7 and prior. The vulnerability is an integer overflow in the --crop option handling of the img2sixel tool, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. Specifically, in sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, bypassing the bounds guard. This unclamped coordinate propagates through sixel_frame_clip() to clip(), computing a source pointer far beyond the image buffer and passing it to memmove(), resulting in an out-of-bounds heap read. The issue is classified under CWE-125 (Out-of-bounds Read) and CWE-190 (Integer Overflow or Wraparound), with a CVSS v3.1 base score of 7.1.

A local attacker can exploit this vulnerability by supplying a specially crafted crop argument alongside any valid image to img2sixel. Exploitation requires low complexity and user interaction, such as tricking a user into processing the image with the malicious --crop parameters, but no privileges are needed. Successful exploitation triggers a reliable crash for denial-of-service and enables potential information disclosure via the out-of-bounds heap read, with high impact on confidentiality and availability but no integrity impact.

The GitHub security advisory (GHSA-c854-ffg9-g72c) and release notes for v1.8.7-r1 confirm the issue has been fixed in libsixel version 1.8.7-r1, recommending users update to this patched release to mitigate the vulnerability.

EU & UK References

Vulnerability details

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without…

more

overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in CLI image tool is triggered via user interaction with malicious command-line arguments on a valid image file (T1204.002); exploitation of the integer overflow produces a reliable process crash, matching application exploitation for DoS (T1499.004). No code execution or remote vector is present.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44637Same product: Saitoha Libsixel
CVE-2026-33020Same product: Saitoha Libsixel
CVE-2026-44636Same product: Saitoha Libsixel
CVE-2026-33021Same product: Saitoha Libsixel
CVE-2026-33023Same product: Saitoha Libsixel
CVE-2026-33905Shared CWE-125
CVE-2026-35176Shared CWE-125
CVE-2026-5673Shared CWE-125
CVE-2025-70308Shared CWE-125
CVE-2026-32845Shared CWE-190

Affected Assets

saitoha
libsixel
≤ 1.8.7-r1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the integer overflow vulnerability in libsixel by requiring timely patching to version 1.8.7-r1, preventing the out-of-bounds heap read.

prevent

Validates input parameters like crop coordinates before passing to img2sixel, preventing supply of overflow-inducing values such as INT_MAX.

preventdetect

Implements memory safeguards like heap canaries and randomization to mitigate exploitation of the out-of-bounds heap read, causing early crashes or hindering info disclosure.

References