CVE-2026-33021
Published: 14 April 2026
Summary
CVE-2026-33021 is a high-severity Use After Free (CWE-416) vulnerability in Saitoha Libsixel. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-33021 is a use-after-free vulnerability in libsixel, a SIXEL encoder/decoder implementation derived from kmiya's sixel, affecting versions 1.8.7 and prior. The flaw resides in the sixel_encoder_encode_bytes() function, where sixel_frame_init() stores a caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. A subsequent resize operation in sixel_frame_convert_to_rgb888() unconditionally frees this buffer and replaces it with a new internal allocation, creating a dangling pointer. Any caller access to the original buffer then triggers a use-after-free, as confirmed by AddressSanitizer.
An attacker controlling incoming frames can exploit this vulnerability repeatedly and predictably to cause a reliable crash, with potential for code execution. The CVSS v3.1 base score is 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating exploitation requires local access with low complexity, no privileges or user interaction, primarily disrupting availability while offering limited confidentiality and integrity impact.
The issue has been addressed in libsixel version 1.8.7-r1. Security practitioners should upgrade to this patched release. Additional details are available in the GitHub security advisory at https://github.com/saitoha/libsixel/security/advisories/GHSA-j6m5-2cc7-3whc and the release notes at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22746
Vulnerability details
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation…
more
is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in libsixel triggered by attacker-controlled SIXEL frames enables local exploitation for code execution (T1068/T1203) or reliable crash/DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and remediation of software flaws like this use-after-free vulnerability by applying the patch in libsixel version 1.8.7-r1.
Implements runtime memory protections such as ASLR and DEP that mitigate exploitation of use-after-free vulnerabilities for code execution despite the underlying flaw.
Requires vulnerability scanning to identify known issues like CVE-2026-33021 in libraries such as libsixel, enabling proactive patching.