CVE-2026-44636

Source
https://cve.org/CVERecord?id=CVE-2026-44636
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44636.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44636
Aliases
  • GHSA-hx93-w8p2-ffh5
Downstream
Published
2026-05-14T20:01:27.050Z
Modified
2026-07-08T08:13:28.007247833Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
libsixel: integer overflow in encoder
Details

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, signed integer overflow in sixelencodehighcolor's allocation size calculation can lead to a heap buffer overflow. The public sixelencode entry point validates only that width and height are greater than zero, with no upper bound. width and height are multiplied as plain int when computing the allocation size for palettedpixels and normalizedpixels. Any caller that asks libsixel to encode a pixel buffer with width times height greater than INTMAX (about 2.15 billion) will hit a wrapped allocation size; under the right wrap, the malloc succeeds with a buffer much smaller than the encoder expects, and the encoder writes past the end of the heap allocation. This vulnerability is fixed in 1.8.7-r2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44636.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-122",
        "CWE-190"
    ]
}
References

Affected packages

Git / github.com/saitoha/libsixel

Affected ranges

Type
GIT
Repo
https://github.com/saitoha/libsixel
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.4.4"
        },
        {
            "fixed": "1.8.7-r2"
        }
    ]
}

Affected versions

Other
nightly-latest
v1.*
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0
v1.5.1
v1.5.2
v1.6.1
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.7-r1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44636.json"