Libsixel Integer Overflow Vulnerability in img2sixel --crop Option
Libsixel versions 1.8.7 and prior contain an integer overflow vulnerability in the `--crop` option of `img2sixel`, leading to an out-of-bounds heap read, potentially causing a crash and information disclosure.
Libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior are vulnerable to an integer overflow in the --crop option handling of img2sixel. This vulnerability allows an attacker to trigger an out-of-bounds heap read by providing a crafted crop argument with positive coordinates up to INT_MAX, which bypasses overflow-safe bounds checking. The vulnerability resides in sixel_encoder_do_clip(), where the expression clip_w + clip_x overflows when clip_x is INT_MAX, leading to the execution of memmove() with a source pointer beyond the image buffer. Successful exploitation results in a crash and potential information disclosure. This issue was addressed in version 1.8.7-r1. Defenders should prioritize patching vulnerable systems.
Attack Chain
- Attacker prepares a malicious image file and a crafted command-line argument for
img2sixelusing the--cropoption. Theclip_xvalue in the argument is set toINT_MAX. - The attacker executes
img2sixelwith the malicious image and crafted--cropargument. - Within
sixel_encoder_do_clip(), the calculationclip_w + clip_xoverflows due toclip_xbeingINT_MAX, resulting in a large negative value. - The overflowed value bypasses the intended bounds check, which is meant to prevent out-of-bounds access.
- The unclamped coordinate is passed to
sixel_frame_clip()and subsequently toclip(). clip()calculates a source pointer that points far beyond the allocated image buffer.memmove()is called with the out-of-bounds source pointer.- The out-of-bounds read from the heap causes a crash, potentially leading to information disclosure.
Impact
Successful exploitation of this vulnerability allows an attacker to cause a denial-of-service condition due to the application crash. Furthermore, it could lead to potential information disclosure by reading data from unintended memory locations. Given the wide usage of libsixel, a successful exploit could impact numerous systems and applications that rely on this library for image processing.
Recommendation
- Upgrade to libsixel version 1.8.7-r1 or later to patch the integer overflow vulnerability (CVE-2026-33019).
- Monitor systems for the execution of
img2sixelwith extremely large--cropvalues using the provided Sigma rule. - Implement input validation and sanitization to prevent potentially malicious arguments being passed to
img2sixel.
Detection coverage 2
Detect img2sixel with Large Crop Values
highDetects execution of img2sixel with extremely large --crop values that could indicate exploitation of CVE-2026-33019.
Detect img2sixel Crashes
mediumDetects abnormal termination (crash) of img2sixel process, potentially related to CVE-2026-33019 exploitation.
Detection queries are available on the platform. Get full rules →