Integer Overflow Vulnerability in libsixel SIXEL Implementation by Saitoha
CVE-2026-33019

7.1HIGH

Key Information:

Vendor: Saitoha
Status: Libsixel
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-33019?

The libsixel library, utilized for encoding and decoding SIXEL graphics, has a vulnerability stemming from an integer overflow that affects the handling of the --crop option in img2sixel. When the crop coordinates exceed safe limits, this oversight allows attackers to craft inputs that may lead to an out-of-bounds memory read. This situation triggers a crash and poses potential risks of information disclosure from the heap, as the coordinates are inaccurately validated. Versions prior to 1.8.7 are susceptible, but the issue has been remedied in version 1.8.7-r1.

Affected Version(s)

libsixel < 1.8.7-r1

References

https://github.com/saitoha/libsixel/security/advisories/G...

x_refsource_CONFIRM

https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33019 Data

JSON