libsixel Signed Integer Overflow (CVE-2026-44637) Leads to Heap Write

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-190cwe-787
libsixel Signed Integer Overflow (CVE-2026-44637) Leads to Heap Write

The National Vulnerability Database has detailed CVE-2026-44637, a critical vulnerability in libsixel, a SIXEL encoder/decoder library. Specifically, versions up to 1.8.7-r1 are vulnerable to a signed integer overflow within the SIXEL parser’s image-buffer doubling loop. This flaw can result in an out-of-bounds heap write in the sixel_decode_raw_impl function.

The core issue, as described by the National Vulnerability Database, is that context->pos_x increments by repeat_count without any upper bound check. When pos_x nears INT_MAX, the calculation pos_x + repeat_count overflows. This overflow can bypass resize checks, allowing an attacker to write past allocated memory via a large, attacker-influenced offset. Any application decoding attacker-supplied SIXEL data, including img2sixel, is susceptible. The vulnerability carries a CVSS score of 7.1 (HIGH) and has been patched in libsixel version 1.8.7-r2.

This isn’t just theoretical. An out-of-bounds heap write is a classic primitive for arbitrary code execution. Given that SIXEL data can be delivered via various channels, including terminal output or image processing, the attack surface is broader than it might initially appear. Defenders need to recognize that any software using libsixel for image handling, especially in contexts where it processes untrusted input, is at risk.

What This Means For You

  • If your organization's software or systems utilize libsixel, check for version 1.8.7-r2 or later immediately. Any application processing SIXEL data from external sources, especially user-supplied images or terminal output, is exposed to potential arbitrary code execution. Prioritize patching or updating libsixel to mitigate this high-severity vulnerability.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Initial Access T1505.003 Exploitation for Client Execution Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1204.002 Execution

CVE-2026-44637 - Libsixel Heap Write via Integer Overflow

Sigma YAML — free preview 
title: CVE-2026-44637 - Libsixel Heap Write via Integer Overflow
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
  Detects the execution of img2sixel with a .sixel file, which is a common way to trigger the libsixel vulnerability (CVE-2026-44637). The vulnerability occurs in the SIXEL parser's image-buffer doubling loop, leading to an out-of-bounds heap write. This rule specifically targets the tool and file type associated with the exploit.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44637/
tags:
  - attack.execution
  - attack.t1204.002
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'img2sixel'
      CommandLine|contains:
          - '.sixel'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44637 Buffer Overflow libsixel versions up to 1.8.7-r1
CVE-2026-44637 Memory Corruption Signed integer overflow in SIXEL parser's image-buffer doubling loop
CVE-2026-44637 Out-of-bounds Write sixel_decode_raw_impl function
CVE-2026-44637 Affected Component img2sixel (when decoding attacker-supplied SIXEL data)
CVE-2026-44637 Patch Version libsixel 1.8.7-r2

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 23:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...

vulnerabilityCVEmedium-severitycwe-674
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass

CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....

vulnerabilityCVEmedium-severityauthentication-bypasscwe-306
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

ZITADEL LDAP Filter Injection Exposes Usernames, Attributes

CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...

vulnerabilityCVEhigh-severityauthentication-bypasscwe-90
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma