Use-After-Free Vulnerability in libsixel's SIXEL Encoder/Decoder Implementation for GDK-Pixbuf2 Support
CVE-2026-33023

7.8HIGH

Key Information:

Vendor: Saitoha
Status: Libsixel
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-33023?

libsixel, a SIXEL encoder/decoder, contains a use-after-free vulnerability when compiled with GDK-Pixbuf2 support, specifically in the load_with_gdkpixbuf() function. The vulnerability occurs due to improper management of memory references, where a sixel_frame_t object is freed without correctly accounting for its reference count. Consequently, this can lead to dangling pointers, allowing an attacker to exploit the flaw by supplying crafted images. The exploit may result in significant security issues such as information disclosure, memory corruption, or potentially arbitrary code execution. Users are advised to update to version 1.8.7-r1, where the issue has been resolved.

Affected Version(s)

libsixel < 1.8.7-r1

References

https://github.com/saitoha/libsixel/security/advisories/G...

x_refsource_CONFIRM

https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33023 Data

JSON

Saitoha

What is CVE-2026-33023?

Affected Version(s)

References

CVSS V3.1

Timeline