{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/heap-read/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-33019"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Libsixel","img2sixel"],"_cs_severities":["high"],"_cs_tags":["libsixel","integer-overflow","heap-read","cve-2026-33019"],"_cs_type":"advisory","_cs_vendors":["Libsixel"],"content_html":"\u003cp\u003eLibsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior are vulnerable to an integer overflow in the \u003ccode\u003e--crop\u003c/code\u003e option handling of \u003ccode\u003eimg2sixel\u003c/code\u003e. This vulnerability allows an attacker to trigger an out-of-bounds heap read by providing a crafted crop argument with positive coordinates up to INT_MAX, which bypasses overflow-safe bounds checking. The vulnerability resides in \u003ccode\u003esixel_encoder_do_clip()\u003c/code\u003e, where the expression \u003ccode\u003eclip_w + clip_x\u003c/code\u003e overflows when \u003ccode\u003eclip_x\u003c/code\u003e is INT_MAX, leading to the execution of \u003ccode\u003ememmove()\u003c/code\u003e with a source pointer beyond the image buffer. Successful exploitation results in a crash and potential information disclosure. This issue was addressed in version 1.8.7-r1. Defenders should prioritize patching vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker prepares a malicious image file and a crafted command-line argument for \u003ccode\u003eimg2sixel\u003c/code\u003e using the \u003ccode\u003e--crop\u003c/code\u003e option. The \u003ccode\u003eclip_x\u003c/code\u003e value in the argument is set to \u003ccode\u003eINT_MAX\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eimg2sixel\u003c/code\u003e with the malicious image and crafted \u003ccode\u003e--crop\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003esixel_encoder_do_clip()\u003c/code\u003e, the calculation \u003ccode\u003eclip_w + clip_x\u003c/code\u003e overflows due to \u003ccode\u003eclip_x\u003c/code\u003e being \u003ccode\u003eINT_MAX\u003c/code\u003e, resulting in a large negative value.\u003c/li\u003e\n\u003cli\u003eThe overflowed value bypasses the intended bounds check, which is meant to prevent out-of-bounds access.\u003c/li\u003e\n\u003cli\u003eThe unclamped coordinate is passed to \u003ccode\u003esixel_frame_clip()\u003c/code\u003e and subsequently to \u003ccode\u003eclip()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eclip()\u003c/code\u003e calculates a source pointer that points far beyond the allocated image buffer.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ememmove()\u003c/code\u003e is called with the out-of-bounds source pointer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read from the heap causes a crash, potentially leading to information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to cause a denial-of-service condition due to the application crash. Furthermore, it could lead to potential information disclosure by reading data from unintended memory locations. Given the wide usage of libsixel, a successful exploit could impact numerous systems and applications that rely on this library for image processing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to libsixel version 1.8.7-r1 or later to patch the integer overflow vulnerability (CVE-2026-33019).\u003c/li\u003e\n\u003cli\u003eMonitor systems for the execution of \u003ccode\u003eimg2sixel\u003c/code\u003e with extremely large \u003ccode\u003e--crop\u003c/code\u003e values using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent potentially malicious arguments being passed to \u003ccode\u003eimg2sixel\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-libsixel-integer-overflow/","summary":"Libsixel versions 1.8.7 and prior contain an integer overflow vulnerability in the `--crop` option of `img2sixel`, leading to an out-of-bounds heap read, potentially causing a crash and information disclosure.","title":"Libsixel Integer Overflow Vulnerability in img2sixel --crop Option","url":"https://feed.craftedsignal.io/briefs/2024-01-libsixel-integer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - Heap-Read","version":"https://jsonfeed.org/version/1.1"}