Use-After-Free Vulnerability in libsixel Affects Animated GIF Handling
CVE-2026-33018

7HIGH

Key Information:

Vendor: Saitoha
Status: Libsixel
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-33018?

libsixel, a SIXEL encoder/decoder implementation, has a significant vulnerability in its handling of animated GIF images. The flaw stems from the load_gif() function, where resources are improperly managed, leading to a possible use-after-free scenario. Specifically, the sixel_frame_t object is reused across frames in an animated GIF without adequately handling the reference count during frame processing. This can trigger crashes or potentially allow an attacker to execute arbitrary code if their input is processed. Applications using the sixel_helper_load_image_file() function with multi-frame callbacks for animated GIFs are particularly susceptible. This issue has been addressed in version 1.8.7-r1.

Affected Version(s)

libsixel < 1.8.7-rc1

References

https://github.com/saitoha/libsixel/security/advisories/G...

x_refsource_CONFIRM

https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33018 Data

JSON

Saitoha

What is CVE-2026-33018?

Affected Version(s)

References

CVSS V3.1

Timeline