libsixel Use-After-Free: High-Severity Bug in Image Handling

/HIGH
SCW vulnerabilitycvehigh-severitycode-executioncwe-416
libsixel Use-After-Free: High-Severity Bug in Image Handling

A significant use-after-free vulnerability, tracked as CVE-2026-33021, has been identified in libsixel, an implementation of the SIXEL encoder/decoder. According to the National Vulnerability Database, versions 1.8.7 and earlier are susceptible to this flaw, which stems from how sixel_encoder_encode_bytes() interacts with sixel_frame_init(). The core issue lies in sixel_frame_init() storing a direct pointer to the caller-owned pixel buffer rather than creating a defensive copy.

This becomes problematic when a resize operation occurs. As reported by the National Vulnerability Database, sixel_frame_convert_to_rgb888() then unconditionally frees this original, caller-owned buffer and replaces it with a new internal allocation. This leaves the caller with a dangling pointer, leading to a classic use-after-free scenario if the original buffer is accessed again. AddressSanitizer has confirmed this bug. An attacker capable of controlling incoming frames could repeatedly and predictably trigger this vulnerability, resulting in reliable crashes and, critically, potential for arbitrary code execution. The issue has been addressed in version 1.8.7-r1.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Execution T1559.002 Component Object Model Hijacking Privilege Escalation

🛡️ Detection Rules

5 rules · 5 SIEM formats

5 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-33021

Sigma Splunk SPL Sentinel KQL Elastic QRadar AQL

Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.

5 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get Detection Rules →

Indicators of Compromise

IDTypeIndicator
CVE-2026-33021 Use After Free libsixel versions 1.8.7 and prior
CVE-2026-33021 Use After Free Vulnerable function: sixel_encoder_encode_bytes()
CVE-2026-33021 Use After Free Vulnerable function: sixel_frame_init()
CVE-2026-33021 Use After Free Vulnerable function: sixel_frame_convert_to_rgb888()
CVE-2026-33021 RCE libsixel versions 1.8.7 and prior

By Shimi's Cyber World Editorial

Related Posts

Critical RCE Flaw Hits NuGet Gallery Backend

CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-20cwe-22
/CRITICAL /⚑ 4 IOCs

BoidCMS LFI to RCE: A Critical Template Flaw

CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...

vulnerabilityCVEhigh-severityremote-code-executioncwe-98
/HIGH /⚑ 4 IOCs

Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk

CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...

vulnerabilityCVEhigh-severitycwe-1385
/HIGH /⚑ 5 IOCs