Cyber Resilience

CVE-2026-33021

HighPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0001 0.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33021 is a high-severity Use After Free (CWE-416) vulnerability in Saitoha Libsixel. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-33021 is a use-after-free vulnerability in libsixel, a SIXEL encoder/decoder implementation derived from kmiya's sixel, affecting versions 1.8.7 and prior. The flaw resides in the sixel_encoder_encode_bytes() function, where sixel_frame_init() stores a caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. A subsequent resize operation in sixel_frame_convert_to_rgb888() unconditionally frees this buffer and replaces it with a new internal allocation, creating a dangling pointer. Any caller access to the original buffer then triggers a use-after-free, as confirmed by AddressSanitizer.

An attacker controlling incoming frames can exploit this vulnerability repeatedly and predictably to cause a reliable crash, with potential for code execution. The CVSS v3.1 base score is 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating exploitation requires local access with low complexity, no privileges or user interaction, primarily disrupting availability while offering limited confidentiality and integrity impact.

The issue has been addressed in libsixel version 1.8.7-r1. Security practitioners should upgrade to this patched release. Additional details are available in the GitHub security advisory at https://github.com/saitoha/libsixel/security/advisories/GHSA-j6m5-2cc7-3whc and the release notes at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1.

EU & UK References

Vulnerability details

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation…

more

is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Use-after-free in libsixel triggered by attacker-controlled SIXEL frames enables local exploitation for code execution (T1068/T1203) or reliable crash/DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33023Same product: Saitoha Libsixel
CVE-2026-33020Same product: Saitoha Libsixel
CVE-2026-44636Same product: Saitoha Libsixel
CVE-2026-44637Same product: Saitoha Libsixel
CVE-2026-33019Same product: Saitoha Libsixel
CVE-2026-22165Shared CWE-416
CVE-2026-8511Shared CWE-416
CVE-2026-4676Shared CWE-416
CVE-2026-7908Shared CWE-416
CVE-2026-31419Shared CWE-416

Affected Assets

saitoha
libsixel
≤ 1.8.7-r1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and remediation of software flaws like this use-after-free vulnerability by applying the patch in libsixel version 1.8.7-r1.

prevent

Implements runtime memory protections such as ASLR and DEP that mitigate exploitation of use-after-free vulnerabilities for code execution despite the underlying flaw.

detect

Requires vulnerability scanning to identify known issues like CVE-2026-33021 in libraries such as libsixel, enabling proactive patching.

References