CVE-2026-44637— libsixel: integer overflow in parser
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44637
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
libsixel: integer overflow in parser
Source: NVD (National Vulnerability Database)
Vulnerability Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression "pos_x + repeat_count" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize check that should reject oversized buffers can be bypassed, after which a subsequent write computes a large attacker-influenced offset into image->data and writes past the allocation. Reachable from any caller that decodes attacker-supplied SIXEL data, including img2sixel. This vulnerability is fixed in 1.8.7-r2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
整数溢出或超界折返
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44637
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44637
请登录查看更多情报信息。
- https://github.com/saitoha/libsixel/security/advisories/GHSA-9jm7-77gr-qghvx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44637
Same Patch Batch · saitoha · 2026-05-14 · 3 CVEs total
| CVE-2026-44636 | 7.4 HIGH | libsixel: integer overflow in encoder |
| CVE-2026-44638 | 2.5 LOW | libsixel: NULL pointer dereference |
IV. Related Vulnerabilities
Same product: libsixel
- CVE-2026-44636
libsixel: integer overflow in encoder - CVE-2026-44638
libsixel: NULL pointer dereference - CVE-2026-33023
libsixel: Use-after-free in load_with_gdkpixbuf() - CVE-2026-33021
libsixel: Use-after-free in sixel_encoder_encode_bytes() - CVE-2026-33020
libsixel: Integer Overflow in write_png_to_file() leads to H
Same vendor: saitoha
- CVE-2026-44636
libsixel: integer overflow in encoder - CVE-2026-44638
libsixel: NULL pointer dereference - CVE-2026-33023
libsixel: Use-after-free in load_with_gdkpixbuf() - CVE-2026-33021
libsixel: Use-after-free in sixel_encoder_encode_bytes() - CVE-2026-33020
libsixel: Integer Overflow in write_png_to_file() leads to H
Same weakness: CWE-190
- CVE-2021-26380
Trusted OS驱动内存越界致完整性丢失 - CVE-2026-44673
libyang: lyb_read_string() integer overflow → heap buffer ov - CVE-2026-43905
OpenImageIO: JPEG2000 (OpenJPH) signed integer overflow in b - CVE-2026-43907
OpenImageIO: Integer overflow in QueryRGBBufferSizeInternal - CVE-2026-43908
OpenImageIO: Signed integer overflow in ConvertCbYCrYToRGB l
V. Comments for CVE-2026-44637
No comments yet