CVE-2026-42046: CWE-122: Heap-based Buffer Overflow in cacalabs libcaca
A heap-based buffer overflow vulnerability exists in libcaca versions 0. 99. beta20 and earlier within the canvas import functionality. This vulnerability arises from an integer overflow when processing crafted files in the 'caca' format, potentially leading to controlled heap out-of-bounds writes. The issue may result in memory corruption or remote code execution depending on the build configuration and memory allocator. This vulnerability is a reoccurrence of CVE-2021-3410, as the previous fix was incomplete. A commit identified as fb77acff9ba6bb01d53940da34fb10f20b156a23 addresses this vulnerability. The CVSS v3. 1 score is 7. 8, indicating high severity.
AI Analysis
Technical Summary
libcaca, a color ASCII art library, contains an integer overflow vulnerability in its canvas import functionality in versions up to 0.99.beta20. This flaw allows an attacker to supply a specially crafted 'caca' format file that triggers a heap-based buffer overflow via a controlled out-of-bounds write. The impact varies with build and allocator but can include memory corruption or remote code execution. This vulnerability is a recurrence of CVE-2021-3410 due to an incomplete prior fix. The vulnerability is fixed in a specific commit (fb77acff9ba6bb01d53940da34fb10f20b156a23). No official patch release or advisory is referenced in the provided data.
Potential Impact
Successful exploitation can lead to high-impact consequences including memory corruption and potentially remote code execution. The vulnerability affects confidentiality, integrity, and availability as indicated by the CVSS vector (C:H/I:H/A:H). The attack vector requires local access with low complexity and no privileges but user interaction is required.
Mitigation Recommendations
Patch status is not yet confirmed from the vendor advisory as no official patch or release is referenced. However, a specific commit (fb77acff9ba6bb01d53940da34fb10f20b156a23) is identified as fixing the vulnerability. Users should apply this fix or upgrade to a version including this commit once available. Until then, avoid processing untrusted 'caca' format files to mitigate risk.
CVE-2026-42046: CWE-122: Heap-based Buffer Overflow in cacalabs libcaca
Description
A heap-based buffer overflow vulnerability exists in libcaca versions 0. 99. beta20 and earlier within the canvas import functionality. This vulnerability arises from an integer overflow when processing crafted files in the 'caca' format, potentially leading to controlled heap out-of-bounds writes. The issue may result in memory corruption or remote code execution depending on the build configuration and memory allocator. This vulnerability is a reoccurrence of CVE-2021-3410, as the previous fix was incomplete. A commit identified as fb77acff9ba6bb01d53940da34fb10f20b156a23 addresses this vulnerability. The CVSS v3. 1 score is 7. 8, indicating high severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
libcaca, a color ASCII art library, contains an integer overflow vulnerability in its canvas import functionality in versions up to 0.99.beta20. This flaw allows an attacker to supply a specially crafted 'caca' format file that triggers a heap-based buffer overflow via a controlled out-of-bounds write. The impact varies with build and allocator but can include memory corruption or remote code execution. This vulnerability is a recurrence of CVE-2021-3410 due to an incomplete prior fix. The vulnerability is fixed in a specific commit (fb77acff9ba6bb01d53940da34fb10f20b156a23). No official patch release or advisory is referenced in the provided data.
Potential Impact
Successful exploitation can lead to high-impact consequences including memory corruption and potentially remote code execution. The vulnerability affects confidentiality, integrity, and availability as indicated by the CVSS vector (C:H/I:H/A:H). The attack vector requires local access with low complexity and no privileges but user interaction is required.
Mitigation Recommendations
Patch status is not yet confirmed from the vendor advisory as no official patch or release is referenced. However, a specific commit (fb77acff9ba6bb01d53940da34fb10f20b156a23) is identified as fixing the vulnerability. Users should apply this fix or upgrade to a version including this commit once available. Until then, avoid processing untrusted 'caca' format files to mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-23T16:05:01.709Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a028746cbff5d86108b50d4
Added to database: 5/12/2026, 1:49:58 AM
Last enriched: 5/12/2026, 1:52:35 AM
Last updated: 5/12/2026, 3:48:34 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.