CVE-2026-33021: CWE-416: Use After Free in saitoha libsixel
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.
AI Analysis
Technical Summary
The vulnerability in saitoha libsixel (CVE-2026-33021) is a use-after-free condition in versions prior to 1.8.7-r1. It occurs because the pixel buffer pointer passed by the caller is stored directly in the frame structure without making a defensive copy. Upon triggering a resize operation, the buffer is freed internally and replaced, leaving the caller's pointer dangling. Subsequent access by the caller to this freed memory leads to use-after-free, confirmed by AddressSanitizer. An attacker controlling input frames can reliably trigger this condition, causing crashes and potentially enabling arbitrary code execution. The issue is resolved in version 1.8.7-r1.
Potential Impact
Successful exploitation can cause application crashes and may allow an attacker to execute arbitrary code due to the use-after-free condition. The vulnerability affects confidentiality, integrity, and availability to varying degrees as indicated by the CVSS vector (C:L/I:L/A:H). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade to libsixel version 1.8.7-r1 or later, where this vulnerability has been fixed. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated but the fix is included in the updated version.
CVE-2026-33021: CWE-416: Use After Free in saitoha libsixel
Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.
CVSS v3.1
Score 7.3high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in saitoha libsixel (CVE-2026-33021) is a use-after-free condition in versions prior to 1.8.7-r1. It occurs because the pixel buffer pointer passed by the caller is stored directly in the frame structure without making a defensive copy. Upon triggering a resize operation, the buffer is freed internally and replaced, leaving the caller's pointer dangling. Subsequent access by the caller to this freed memory leads to use-after-free, confirmed by AddressSanitizer. An attacker controlling input frames can reliably trigger this condition, causing crashes and potentially enabling arbitrary code execution. The issue is resolved in version 1.8.7-r1.
Potential Impact
Successful exploitation can cause application crashes and may allow an attacker to execute arbitrary code due to the use-after-free condition. The vulnerability affects confidentiality, integrity, and availability to varying degrees as indicated by the CVSS vector (C:L/I:L/A:H). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade to libsixel version 1.8.7-r1 or later, where this vulnerability has been fixed. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated but the fix is included in the updated version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-17T17:22:14.667Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69debcd482d89c981f0dfd14
Added to database: 4/14/2026, 10:16:52 PM
Last enriched: 4/22/2026, 6:27:15 AM
Last updated: 5/29/2026, 7:22:08 PM
Views: 55
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.