libsixel Use-After-Free: Critical Flaw in GIF Processing

/HIGH
SCW vulnerabilitycvehigh-severitycode-executioncwe-416
libsixel Use-After-Free: Critical Flaw in GIF Processing

The National Vulnerability Database has disclosed CVE-2026-33018, a high-severity Use-After-Free vulnerability in libsixel, a widely used SIXEL encoder/decoder implementation. Affecting versions 1.8.7 and prior, this critical flaw resides within the load_gif() function in fromgif.c, specifically in how it handles animated GIFs.

According to the National Vulnerability Database, the issue arises because a single sixel_frame_t object is reused across all frames of an animated GIF. The gif_init_frame() function then unconditionally frees and reallocates frame->pixels between frames, without adequately checking the object’s reference count. This means any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs will leave a dangling pointer after the second frame is decoded if it follows the documented sixel_frame_ref() and sixel_frame_get_pixels() API usage. This can lead to a reliable crash, confirmed by ASAN, and potentially even remote code execution. The fix is available in version 1.8.7-r1.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Initial Access T1566.002 Spearphishing Attachment Initial Access

🛡️ Detection Rules

6 rules · 5 SIEM formats

6 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-33018

Sigma Splunk SPL Sentinel KQL Elastic QRadar AQL

Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.

6 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get Detection Rules →

Indicators of Compromise

IDTypeIndicator
CVE-2026-33018 Use After Free libsixel versions 1.8.7 and prior
CVE-2026-33018 Use After Free Vulnerable function: load_gif() in fromgif.c
CVE-2026-33018 Use After Free Vulnerable component: sixel_frame_t object reuse in animated GIF processing
CVE-2026-33018 Code Execution Affected function usage: sixel_helper_load_image_file() with multi-frame callback processing user-supplied animated GIFs
CVE-2026-33018 Use After Free Fixed in libsixel version 1.8.7-r1

By Shimi's Cyber World Editorial

Related Posts

Critical RCE Flaw Hits NuGet Gallery Backend

CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-20cwe-22
/CRITICAL /⚑ 4 IOCs

BoidCMS LFI to RCE: A Critical Template Flaw

CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...

vulnerabilityCVEhigh-severityremote-code-executioncwe-98
/HIGH /⚑ 4 IOCs

Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk

CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...

vulnerabilityCVEhigh-severitycwe-1385
/HIGH /⚑ 5 IOCs