CVE-2025-9300 is a stack-based buffer overflow vulnerability identified in the saitoha libsixel library, specifically affecting versions 1.10.0 through 1.10.3. The flaw resides in the function sixel_debug_print_palette within the src/encoder.c file of the img2sixel component. This function improperly handles input data, leading to a stack-based buffer overflow condition. Exploitation requires local access with at least low-level privileges (PR:L), and no user interaction is necessary. The vulnerability allows an attacker to overwrite parts of the stack, potentially leading to arbitrary code execution or application crashes, thereby compromising the integrity and availability of the affected system. The vulnerability has a CVSS 4.8 score, categorized as medium severity, reflecting its limited attack vector (local), the requirement for low privileges, and the partial impact on confidentiality, integrity, and availability. A patch has been identified (commit 316c086e79d66b62c0c4bc66229ee894e4fdb7d1) to address this issue, and its application is strongly advised. Although the exploit code has been publicly disclosed, there are no confirmed reports of active exploitation in the wild at this time. The libsixel library is commonly used for encoding images into the sixel format, often utilized in terminal emulators and image processing tools, which may be part of development environments or specialized software stacks.

For European organizations, the impact of CVE-2025-9300 depends largely on the deployment of the libsixel library within their infrastructure. Organizations using software that incorporates libsixel for image encoding or terminal graphics rendering could face risks of local privilege escalation or denial of service if an attacker gains local access. This is particularly relevant for development environments, CI/CD pipelines, or specialized terminal applications that process sixel images. The vulnerability could be leveraged by malicious insiders or attackers who have already compromised a low-privilege account to escalate privileges or disrupt services. While the requirement for local access limits remote exploitation, the presence of publicly available exploit code increases the risk of lateral movement within networks. European sectors with high reliance on secure development environments, such as finance, critical infrastructure, and government agencies, should be vigilant. Additionally, organizations with remote desktop or terminal access services that might expose local user environments could be indirectly affected if attackers gain foothold through other means.

To mitigate CVE-2025-9300, European organizations should: 1) Immediately apply the official patch identified by commit 316c086e79d66b62c0c4bc66229ee894e4fdb7d1 to all affected libsixel versions (1.10.0 to 1.10.3). 2) Conduct an inventory of software and systems that utilize libsixel, including indirect dependencies in development tools and terminal emulators, to ensure comprehensive patching. 3) Restrict local access to systems running vulnerable libsixel versions by enforcing strict access controls, limiting user privileges, and monitoring for unauthorized local login attempts. 4) Implement application whitelisting and runtime protection mechanisms to detect and prevent exploitation attempts involving buffer overflow behaviors. 5) Enhance logging and monitoring around local user activities and image processing components to detect anomalous behavior indicative of exploitation attempts. 6) Educate system administrators and developers about the vulnerability and the importance of applying patches promptly, especially in environments where local access cannot be fully restricted. 7) Consider deploying endpoint detection and response (EDR) solutions capable of identifying exploitation techniques related to stack-based buffer overflows.