CVE-2026-33020
Published: 14 April 2026
Summary
CVE-2026-33020 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Saitoha Libsixel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33020 is an integer overflow vulnerability in libsixel, an implementation of a SIXEL encoder/decoder derived from kmiya's sixel, affecting versions 1.8.7 and prior. The issue occurs in the sixel_frame_convert_to_rgb888() function within frame.c, where allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) use int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, this results in an undersized heap allocation for the conversion buffer and a negative pointer offset for the normalization sub-buffer. Subsequent calls to sixel_helper_normalize_pixelformat() then write full image data from the invalid pointer, causing massive heap corruption, as confirmed by ASAN instrumentation. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow or Wraparound), with a CVSS v3.1 base score of 7.1.
An attacker can exploit this vulnerability locally by providing a specially crafted large palettised PNG image to a victim process using libsixel. Exploitation requires user interaction, such as opening the malicious image in a compatible application, but no special privileges are needed. Successful exploitation leads to reliable process crashes and heap corruption, enabling potential arbitrary code execution with high impact on integrity and availability, though no confidentiality impact.
The issue has been addressed in libsixel version 1.8.7-r1, as detailed in the project's GitHub release notes and security advisory GHSA-2xgm-4x47-2x2p, which recommend upgrading to the patched version for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22744
Vulnerability details
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c, where allocation size and pointer offset computations for palettised images (PAL1,…
more
PAL2, PAL4) are performed using int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, the overflow produces an undersized heap allocation for the conversion buffer and a negative pointer offset for the normalization sub-buffer, after which sixel_helper_normalize_pixelformat() writes the full image data starting from the invalid pointer, causing massive heap corruption confirmed by ASAN. An attacker providing a specially crafted large palettised PNG can corrupt the heap of the victim process, resulting in a reliable crash and potential arbitrary code execution. This issue has been fixed in version 1.8.7-r1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow leading to heap buffer overflow in image decoder (libsixel) directly enables client-side RCE when a crafted PNG is processed/opened, matching T1203 Exploitation for Client Execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of known flaws like the integer overflow in libsixel by applying patches such as version 1.8.7-r1.
Provides memory protections like ASLR and DEP to mitigate heap buffer overflows and prevent arbitrary code execution from heap corruption caused by the vulnerability.
Requires validation of input image pixel counts and formats to block processing of oversized palettised PNGs that trigger the integer overflow leading to undersized allocations.