CVE-2026-33023
Published: 14 April 2026
Summary
CVE-2026-33023 is a high-severity Use After Free (CWE-416) vulnerability in Saitoha Libsixel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33023 is a use-after-free vulnerability in libsixel, an implementation of a SIXEL encoder/decoder derived from kmiya's sixel. It affects versions 1.8.7 and prior when built with the --with-gdk-pixbuf2 option. The issue occurs in the load_with_gdkpixbuf() function in loader.c, where the cleanup path manually frees a sixel_frame_t object and its internal buffers without checking the reference count. This object is created via the refcounted constructor sixel_frame_new() and exposed to a public callback, leading to a dangling pointer if the callback calls sixel_frame_ref(frame). AddressSanitizer confirms the use-after-free on subsequent access. The root cause stems from inconsistent cleanup strategies: sixel_frame_unref() in load_with_builtin() versus raw free() in load_with_gdkpixbuf(). It is classified as CWE-416 with a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker can exploit this by supplying a crafted image to any application linked against libsixel with gdk-pixbuf2 support. Exploitation requires local access and user interaction, such as tricking a user into loading the malicious SIXEL image file via sixel_helper_load_image_file(). A successful attack can result in information disclosure, memory corruption, or arbitrary code execution due to the dangling pointer access.
The vulnerability has been fixed in libsixel version 1.8.7-r1, as detailed in the project's GitHub release notes and security advisory GHSA-hr25-g2j6-qjw6. Security practitioners should update affected applications to this patched version and verify build configurations including gdk-pixbuf2 support.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22748
Vulnerability details
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal…
more
buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in SIXEL image loader enables RCE via crafted malicious image file requiring user interaction (T1204.003); directly maps to client application exploitation for code execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and remediation of software flaws such as the use-after-free in libsixel's load_with_gdkpixbuf() function.
Implements memory protection mechanisms like ASLR and DEP that directly mitigate exploitation of use-after-free vulnerabilities by protecting against invalid memory access.
Requires vulnerability scanning to identify the presence of CVE-2026-33023 in libsixel libraries built with gdk-pixbuf2 support.