Integer Overflow Vulnerability in libcaca's Canvas Import Functionality
CVE-2026-42046

7.8HIGH

Key Information:

Vendor

Cacalabs

Status
Libcaca
Vendor
CVE Published:
11 May 2026

What is CVE-2026-42046?

The libcaca library, used for color ASCII art rendering, is vulnerable due to an integer overflow in its canvas import capabilities. This allows attackers to create a crafted 'caca' file that can exploit the vulnerability, enabling controlled heap out-of-bounds write. This may lead to memory corruption or even remote code execution, depending on specific build configurations and memory allocators. It's important to note that this vulnerability is related to a previous issue (CVE-2021-3410) which was inadequately addressed. A fix has been implemented in commit fb77acff9ba6bb01d53940da34fb10f20b156a23.

Affected Version(s)

libcaca <= 0.99.beta20

References

https://github.com/cacalabs/libcaca/security/advisories/G...
x_refsource_CONFIRM
https://github.com/cacalabs/libcaca/issues/86
x_refsource_MISC
https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.