Libsixel Use-After-Free: Crafted Images Lead to RCE

The National Vulnerability Database (NVD) has documented a high-severity use-after-free vulnerability, CVE-2026-33023, impacting libsixel versions 1.8.7 and earlier. This library, a SIXEL encoder/decoder implementation, exhibits the flaw specifically when compiled with the --with-gdk-pixbuf2 option. The core issue lies within the load_with_gdkpixbuf() function in loader.c, where a sixel_frame_t object and its internal buffers are manually freed without proper reference counting, despite being created with a refcounted constructor.

This inconsistency creates a dangling pointer if a callback retains a logical reference to the sixel_frame_t object after sixel_helper_load_image_file() returns. Any subsequent access to this freed memory triggers a use-after-free condition, confirmed by AddressSanitizer. The NVD notes that the root cause is a divergence in cleanup strategies; sixel_frame_unref() is used in load_with_builtin(), but a raw free() is employed in the vulnerable load_with_gdkpixbuf() path. An attacker can reliably exploit this by supplying a specially crafted image to any application linked against libsixel with gdk-pixbuf2 support. The potential fallout includes information disclosure, memory corruption, or even remote code execution. The NVD confirms this issue has been addressed in version 1.8.7-r1.