Denial of Service in libsixel SIXEL Encoder/Decoder by Saitoha
CVE-2026-44638

2.5LOW

Key Information:

Vendor: Saitoha
Status: Libsixel
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-44638?

The libsixel SIXEL encoder/decoder, developed by Saitoha, is vulnerable to a denial of service due to a flaw in the allocation handling within the sixel_decode_raw and sixel_decode functions. A false negative in NULL checks following memory allocation can cause a NULL pointer dereference whenever memory allocation fails, leading to process termination. This issue occurs when the output parameter's address is checked instead of the actual value returned by the malloc operation. Consequently, when the system encounters low memory, the function proceeds incorrectly, writing through a NULL pointer and causing crashes. The vulnerability has been addressed in version 1.8.7-r2.

Affected Version(s)

libsixel >= 1.0.0, < 1.8.7-r2

References

https://github.com/saitoha/libsixel/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

2.5

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44638 Data

JSON