CVE-2026-11623: Use After Free in tmux
A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.
AI Analysis
Technical Summary
This vulnerability involves a use-after-free condition in the image_free function within the image.c file of tmux up to version 3.6a. The flaw allows an attacker with local access to potentially manipulate memory after it has been freed, which can lead to undefined behavior. The attack complexity is high, and no user interaction is required. The vulnerability has a low CVSS 4.0 base score of 2.0, reflecting limited impact and difficult exploitability. A patch identified by commit fc6d94a9f8a593bd8b7031650802084385d4ee03 is included in tmux version 3.7-rc, which mitigates the issue.
Potential Impact
The vulnerability allows a local attacker to trigger a use-after-free condition, which could lead to memory corruption or crashes. However, the low CVSS score and high complexity indicate limited practical impact and difficult exploitation. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade tmux to version 3.7-rc or later, which includes the patch fc6d94a9f8a593bd8b7031650802084385d4ee03 that fixes this use-after-free vulnerability. Since this is a local vulnerability requiring complex exploitation, applying the official patch is the recommended remediation.
CVE-2026-11623: Use After Free in tmux
Description
A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.
CVSS v4.0
Score 2.0low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves a use-after-free condition in the image_free function within the image.c file of tmux up to version 3.6a. The flaw allows an attacker with local access to potentially manipulate memory after it has been freed, which can lead to undefined behavior. The attack complexity is high, and no user interaction is required. The vulnerability has a low CVSS 4.0 base score of 2.0, reflecting limited impact and difficult exploitability. A patch identified by commit fc6d94a9f8a593bd8b7031650802084385d4ee03 is included in tmux version 3.7-rc, which mitigates the issue.
Potential Impact
The vulnerability allows a local attacker to trigger a use-after-free condition, which could lead to memory corruption or crashes. However, the low CVSS score and high complexity indicate limited practical impact and difficult exploitation. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade tmux to version 3.7-rc or later, which includes the patch fc6d94a9f8a593bd8b7031650802084385d4ee03 that fixes this use-after-free vulnerability. Since this is a local vulnerability requiring complex exploitation, applying the official patch is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-06-08T20:19:58.448Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a279b29e29bf47b503573a5
Added to database: 6/9/2026, 4:48:41 AM
Last enriched: 6/9/2026, 5:21:02 AM
Last updated: 6/9/2026, 12:10:33 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.