CVE-2026-33018: CWE-416: Use After Free in saitoha libsixel
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1.
AI Analysis
Technical Summary
The vulnerability in libsixel (CVE-2026-33018) is a Use-After-Free (CWE-416) in the load_gif() function within fromgif.c. The problem occurs because a single sixel_frame_t object is reused for all frames of an animated GIF, and gif_init_frame() unconditionally frees and reallocates the pixel buffer without considering the reference count. The public API allows retaining frames and accessing raw pixel buffers, but after the second frame is decoded, callbacks holding these pointers encounter dangling references, confirmed by ASAN. This leads to a heap use-after-free condition that can cause reliable crashes and potentially code execution. The vulnerability affects libsixel versions before 1.8.7-rc1 and is resolved in version 1.8.7-r1.
Potential Impact
Exploitation of this vulnerability can cause heap use-after-free conditions resulting in application crashes at minimum. Due to the nature of the vulnerability, there is also potential for arbitrary code execution. The impact affects any application using the vulnerable libsixel versions to process user-supplied animated GIFs with multi-frame callbacks.
Mitigation Recommendations
A fix is available in libsixel version 1.8.7-r1. Users and developers should upgrade to this version or later to remediate the vulnerability. Since this is not a cloud service, remediation depends on applying the updated library version. Patch status is not explicitly stated beyond the fixed version; users should verify vendor advisories for the latest guidance.
CVE-2026-33018: CWE-416: Use After Free in saitoha libsixel
Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1.
CVSS v3.1
Score 7.0high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in libsixel (CVE-2026-33018) is a Use-After-Free (CWE-416) in the load_gif() function within fromgif.c. The problem occurs because a single sixel_frame_t object is reused for all frames of an animated GIF, and gif_init_frame() unconditionally frees and reallocates the pixel buffer without considering the reference count. The public API allows retaining frames and accessing raw pixel buffers, but after the second frame is decoded, callbacks holding these pointers encounter dangling references, confirmed by ASAN. This leads to a heap use-after-free condition that can cause reliable crashes and potentially code execution. The vulnerability affects libsixel versions before 1.8.7-rc1 and is resolved in version 1.8.7-r1.
Potential Impact
Exploitation of this vulnerability can cause heap use-after-free conditions resulting in application crashes at minimum. Due to the nature of the vulnerability, there is also potential for arbitrary code execution. The impact affects any application using the vulnerable libsixel versions to process user-supplied animated GIFs with multi-frame callbacks.
Mitigation Recommendations
A fix is available in libsixel version 1.8.7-r1. Users and developers should upgrade to this version or later to remediate the vulnerability. Since this is not a cloud service, remediation depends on applying the updated library version. Patch status is not explicitly stated beyond the fixed version; users should verify vendor advisories for the latest guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-17T17:22:14.666Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69deb96d82d89c981f0b1a09
Added to database: 4/14/2026, 10:02:21 PM
Last enriched: 4/22/2026, 6:27:08 AM
Last updated: 5/29/2026, 9:08:38 PM
Views: 55
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.