Skip to content
Threat Feed
high advisory

Libsixel Integer Overflow Vulnerability in img2sixel --crop Option

Libsixel versions 1.8.7 and prior contain an integer overflow vulnerability in the `--crop` option of `img2sixel`, leading to an out-of-bounds heap read, potentially causing a crash and information disclosure.

Libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior are vulnerable to an integer overflow in the --crop option handling of img2sixel. This vulnerability allows an attacker to trigger an out-of-bounds heap read by providing a crafted crop argument with positive coordinates up to INT_MAX, which bypasses overflow-safe bounds checking. The vulnerability resides in sixel_encoder_do_clip(), where the expression clip_w + clip_x overflows when clip_x is INT_MAX, leading to the execution of memmove() with a source pointer beyond the image buffer. Successful exploitation results in a crash and potential information disclosure. This issue was addressed in version 1.8.7-r1. Defenders should prioritize patching vulnerable systems.

Attack Chain

  1. Attacker prepares a malicious image file and a crafted command-line argument for img2sixel using the --crop option. The clip_x value in the argument is set to INT_MAX.
  2. The attacker executes img2sixel with the malicious image and crafted --crop argument.
  3. Within sixel_encoder_do_clip(), the calculation clip_w + clip_x overflows due to clip_x being INT_MAX, resulting in a large negative value.
  4. The overflowed value bypasses the intended bounds check, which is meant to prevent out-of-bounds access.
  5. The unclamped coordinate is passed to sixel_frame_clip() and subsequently to clip().
  6. clip() calculates a source pointer that points far beyond the allocated image buffer.
  7. memmove() is called with the out-of-bounds source pointer.
  8. The out-of-bounds read from the heap causes a crash, potentially leading to information disclosure.

Impact

Successful exploitation of this vulnerability allows an attacker to cause a denial-of-service condition due to the application crash. Furthermore, it could lead to potential information disclosure by reading data from unintended memory locations. Given the wide usage of libsixel, a successful exploit could impact numerous systems and applications that rely on this library for image processing.

Recommendation

  • Upgrade to libsixel version 1.8.7-r1 or later to patch the integer overflow vulnerability (CVE-2026-33019).
  • Monitor systems for the execution of img2sixel with extremely large --crop values using the provided Sigma rule.
  • Implement input validation and sanitization to prevent potentially malicious arguments being passed to img2sixel.

Detection coverage 2

Detect img2sixel with Large Crop Values

high

Detects execution of img2sixel with extremely large --crop values that could indicate exploitation of CVE-2026-33019.

sigma tactics: defense_evasion, information_gathering techniques: T1068 sources: process_creation, linux

Detect img2sixel Crashes

medium

Detects abnormal termination (crash) of img2sixel process, potentially related to CVE-2026-33019 exploitation.

sigma tactics: defense_evasion, information_gathering techniques: T1068 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →