Cyber Resilience

CVE-2026-33020

HighPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33020 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Saitoha Libsixel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33020 is an integer overflow vulnerability in libsixel, an implementation of a SIXEL encoder/decoder derived from kmiya's sixel, affecting versions 1.8.7 and prior. The issue occurs in the sixel_frame_convert_to_rgb888() function within frame.c, where allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) use int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, this results in an undersized heap allocation for the conversion buffer and a negative pointer offset for the normalization sub-buffer. Subsequent calls to sixel_helper_normalize_pixelformat() then write full image data from the invalid pointer, causing massive heap corruption, as confirmed by ASAN instrumentation. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow or Wraparound), with a CVSS v3.1 base score of 7.1.

An attacker can exploit this vulnerability locally by providing a specially crafted large palettised PNG image to a victim process using libsixel. Exploitation requires user interaction, such as opening the malicious image in a compatible application, but no special privileges are needed. Successful exploitation leads to reliable process crashes and heap corruption, enabling potential arbitrary code execution with high impact on integrity and availability, though no confidentiality impact.

The issue has been addressed in libsixel version 1.8.7-r1, as detailed in the project's GitHub release notes and security advisory GHSA-2xgm-4x47-2x2p, which recommend upgrading to the patched version for mitigation.

EU & UK References

Vulnerability details

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c, where allocation size and pointer offset computations for palettised images (PAL1,…

more

PAL2, PAL4) are performed using int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, the overflow produces an undersized heap allocation for the conversion buffer and a negative pointer offset for the normalization sub-buffer, after which sixel_helper_normalize_pixelformat() writes the full image data starting from the invalid pointer, causing massive heap corruption confirmed by ASAN. An attacker providing a specially crafted large palettised PNG can corrupt the heap of the victim process, resulting in a reliable crash and potential arbitrary code execution. This issue has been fixed in version 1.8.7-r1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Integer overflow leading to heap buffer overflow in image decoder (libsixel) directly enables client-side RCE when a crafted PNG is processed/opened, matching T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44636Same product: Saitoha Libsixel
CVE-2026-44637Same product: Saitoha Libsixel
CVE-2026-33023Same product: Saitoha Libsixel
CVE-2026-33019Same product: Saitoha Libsixel
CVE-2026-33021Same product: Saitoha Libsixel
CVE-2026-42046Shared CWE-122, CWE-190
CVE-2025-21339Shared CWE-122
CVE-2025-59295Shared CWE-122
CVE-2025-21407Shared CWE-122
CVE-2026-34545Shared CWE-122, CWE-190

Affected Assets

saitoha
libsixel
≤ 1.8.7-r1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of known flaws like the integer overflow in libsixel by applying patches such as version 1.8.7-r1.

prevent

Provides memory protections like ASLR and DEP to mitigate heap buffer overflows and prevent arbitrary code execution from heap corruption caused by the vulnerability.

prevent

Requires validation of input image pixel counts and formats to block processing of oversized palettised PNGs that trigger the integer overflow leading to undersized allocations.

References