Libsixel Heap Overflow CVE-2026-44636 Lets Attackers Trigger RCE

Executive Summary

A signed integer overflow vulnerability in libsixel, a widely used SIXEL image encoder/decoder library, tracked as CVE-2026-44636 with a CVSS score of 7.8, can be exploited to trigger a heap buffer overflow. The flaw affects all versions of libsixel up to and including 1.8.7-r1. An attacker who supplies a specially crafted SIXEL image to an application using the library could achieve remote code execution (RCE) in the context of the vulnerable process. No official patch has been released as of this writing, though the maintainer has acknowledged the issue via a GitHub security advisory (GHSA-hx93-w8p2-ffh5).

Technical Analysis

The vulnerability resides in the sixel_encode_highcolor function within libsixel's encoding pipeline. According to the advisory published on the project's GitHub repository, the function computes an allocation size by multiplying width and height parameters as plain signed int values. The public sixel_encode entry point validates only that both dimensions are greater than zero, imposing no upper bound on their magnitude.

When width and height are large enough, their product overflows a signed 32-bit integer, wrapping to a small or negative value. This truncated value is then passed to a memory allocation routine, which allocates a buffer far smaller than required. Subsequent write operations in the encoding function then overflow this undersized heap buffer, corrupting adjacent memory.

The advisory notes that the overflow is triggered during the allocation size calculation, specifically in the line:

size_t alloc_size = width * height * sizeof(uint32_t);

Because width and height are int types, the multiplication occurs in signed integer arithmetic before being cast to size_t. An attacker controlling both dimensions can cause width * height to overflow, yielding a small positive or negative result. A negative value, when implicitly converted to size_t (an unsigned type), becomes a very large positive number, leading to an allocation failure or an unexpectedly large allocation, but the subsequent logic expects a buffer sized for the original dimensions. The advisory clarifies that the actual exploitable condition is the heap buffer overflow that follows the undersized allocation.

No proof-of-concept exploit code has been published publicly, but the advisory states that the issue is reachable via any application that calls sixel_encode with attacker-supplied width and height values. Libraries and tools that use libsixel for image conversion, terminal graphics rendering, or thumbnail generation are potentially affected.

Mitigations & Recommendations

As of May 15, 2026, no patched version of libsixel has been released. The project maintainer has not indicated a timeline for a fix. Defenders should take the following steps:

• Disable SIXEL processing in any application that uses libsixel if the application accepts untrusted image inputs. This is the most effective mitigation until a patch is available.
• Apply input validation at the application layer: reject images with width or height values exceeding a safe threshold (e.g., 16,384 pixels) before passing them to libsixel.
• Monitor the libsixel GitHub repository for the release of version 1.8.7-r2 or later, which is expected to include a bounds check on the multiplication.
• Consider using memory-safe alternatives for SIXEL encoding/decoding in security-critical contexts, such as implementations that use checked arithmetic or are written in memory-safe languages.