<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33019 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33019/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33019/feed.xml" rel="self" type="application/rss+xml"/><item><title>Libsixel Integer Overflow Vulnerability in img2sixel --crop Option</title><link>https://feed.craftedsignal.io/briefs/2024-01-libsixel-integer-overflow/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-libsixel-integer-overflow/</guid><description>Libsixel versions 1.8.7 and prior contain an integer overflow vulnerability in the `--crop` option of `img2sixel`, leading to an out-of-bounds heap read, potentially causing a crash and information disclosure.</description><content:encoded><![CDATA[<p>Libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior are vulnerable to an integer overflow in the <code>--crop</code> option handling of <code>img2sixel</code>. This vulnerability allows an attacker to trigger an out-of-bounds heap read by providing a crafted crop argument with positive coordinates up to INT_MAX, which bypasses overflow-safe bounds checking. The vulnerability resides in <code>sixel_encoder_do_clip()</code>, where the expression <code>clip_w + clip_x</code> overflows when <code>clip_x</code> is INT_MAX, leading to the execution of <code>memmove()</code> with a source pointer beyond the image buffer. Successful exploitation results in a crash and potential information disclosure. This issue was addressed in version 1.8.7-r1. Defenders should prioritize patching vulnerable systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker prepares a malicious image file and a crafted command-line argument for <code>img2sixel</code> using the <code>--crop</code> option. The <code>clip_x</code> value in the argument is set to <code>INT_MAX</code>.</li>
<li>The attacker executes <code>img2sixel</code> with the malicious image and crafted <code>--crop</code> argument.</li>
<li>Within <code>sixel_encoder_do_clip()</code>, the calculation <code>clip_w + clip_x</code> overflows due to <code>clip_x</code> being <code>INT_MAX</code>, resulting in a large negative value.</li>
<li>The overflowed value bypasses the intended bounds check, which is meant to prevent out-of-bounds access.</li>
<li>The unclamped coordinate is passed to <code>sixel_frame_clip()</code> and subsequently to <code>clip()</code>.</li>
<li><code>clip()</code> calculates a source pointer that points far beyond the allocated image buffer.</li>
<li><code>memmove()</code> is called with the out-of-bounds source pointer.</li>
<li>The out-of-bounds read from the heap causes a crash, potentially leading to information disclosure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to cause a denial-of-service condition due to the application crash. Furthermore, it could lead to potential information disclosure by reading data from unintended memory locations. Given the wide usage of libsixel, a successful exploit could impact numerous systems and applications that rely on this library for image processing.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to libsixel version 1.8.7-r1 or later to patch the integer overflow vulnerability (CVE-2026-33019).</li>
<li>Monitor systems for the execution of <code>img2sixel</code> with extremely large <code>--crop</code> values using the provided Sigma rule.</li>
<li>Implement input validation and sanitization to prevent potentially malicious arguments being passed to <code>img2sixel</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>libsixel</category><category>integer-overflow</category><category>heap-read</category><category>cve-2026-33019</category></item></channel></rss>