Aggregates CVE and security vulnerability intelligence across all saitoha-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk buffer overflow and vendor risk memory corruption, with potential vendor impact memory corruption and vendor impact application crash across vendor surface software deployment use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-44638 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter (always non-NULL) instead of the value the malloc returned. On allocation failure, the function continues and writes through a NULL pointer, crashing the process. This is a denial of service against any c | [email protected] | 2.5 | 0.01% | 2026-05-14 | 2026-05-15 |
| CVE-2026-44637 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression "pos_x + repeat_count" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize che | [email protected] | 7.1 | 0.01% | 2026-05-14 | 2026-05-15 |
| CVE-2026-44636 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, signed integer overflow in sixel_encode_highcolor's allocation size calculation can lead to a heap buffer overflow. The public sixel_encode entry point validates only that width and height are greater than zero, with no upper bound. width and height are multiplied as plain int when computing the allocation size for paletted_pixels and normalized_pixels. Any caller that asks libsixel to encode a pixe | [email protected] | 7.4 | 0.01% | 2026-05-14 | 2026-05-16 |
| CVE-2026-33023 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel | [email protected] | 7.8 | 0.01% | 2026-04-14 | 2026-04-23 |
| CVE-2026-33021 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dan | [email protected] | 7.3 | 0.01% | 2026-04-14 | 2026-04-23 |
| CVE-2026-33020 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c, where allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) are performed using int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, the overflow produces an undersized heap allocation for the conversion buffe | [email protected] | 7.1 | 0.01% | 2026-04-14 | 2026-04-23 |
| CVE-2026-33019 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordin | [email protected] | 7.1 | 0.01% | 2026-04-14 | 2026-04-23 |
| CVE-2026-33018 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_ | [email protected] | 7.0 | 0.01% | 2026-04-14 | 2026-04-23 |
| CVE-2025-61146 | saitoha libsixel until v1.8.7 was discovered to contain a memory leak via the component malloc_stub.c. | [email protected] | 4.0 | 0.01% | 2026-02-23 | 2026-04-23 |
| CVE-2025-9300 | A vulnerability was found in saitoha libsixel up to 1.10.3. Affected by this issue is the function sixel_debug_print_palette of the file src/encoder.c of the component img2sixel. The manipulation results in stack-based buffer overflow. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is identified as 316c086e79d66b62c0c4bc66229ee894e4fdb7d1. Applying a patch is advised to resolve this issue. | [email protected] | 1.9 | 0.06% | 2025-08-21 | 2026-04-29 |
| CVE-2022-29978 | There is a floating point exception error in sixel_encoder_do_resize, encoder.c:633 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file. | [email protected] | 6.5 | 0.30% | 2022-05-11 | 2026-04-24 |
| CVE-2022-29977 | There is an assertion failure error in stbi__jpeg_huff_decode, stb_image.h:1894 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file. | [email protected] | 6.5 | 0.56% | 2022-05-11 | 2026-04-24 |
| CVE-2022-27046 | libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. | [email protected] | 8.8 | 0.32% | 2022-04-08 | 2026-04-24 |
| CVE-2022-27044 | libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. | [email protected] | 8.8 | 0.35% | 2022-04-08 | 2026-04-24 |
| CVE-2022-27938 | stb_image.h (aka the stb image loader) 2.19, as used in libsixel and other products, has a reachable assertion in stbi__create_png_image_raw. | [email protected] | 5.5 | 0.13% | 2022-03-26 | 2026-04-24 |
| CVE-2021-46700 | In libsixel 1.8.6, sixel_encoder_output_without_macro (called from sixel_encoder_encode_frame in encoder.c) has a double free. | [email protected] | 6.5 | 0.16% | 2022-02-19 | 2026-04-24 |
| CVE-2020-21548 | Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. | [email protected] | 8.8 | 0.38% | 2021-09-17 | 2026-04-24 |
| CVE-2020-21547 | Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. | [email protected] | 8.8 | 0.38% | 2021-09-17 | 2026-04-24 |
| CVE-2020-21050 | Libsixel prior to v1.8.3 contains a stack buffer overflow in the function gif_process_raster at fromgif.c. | [email protected] | 6.5 | 0.94% | 2021-09-14 | 2026-04-24 |
| CVE-2020-21049 | An invalid read in the stb_image.h component of libsixel prior to v1.8.5 allows attackers to cause a denial of service (DOS) via a crafted PSD file. | [email protected] | 6.5 | 0.41% | 2021-09-14 | 2026-04-24 |