libsixel NULL Pointer Dereference CVE-2026-44638 Gets Low CVSS

Executive Summary

A NULL pointer dereference vulnerability in libsixel, a widely used SIXEL encoder/decoder library, has been assigned CVE-2026-44638 with a CVSS score of 2.5 (Low). The flaw affects versions up to and including 1.8.7-r1. According to the advisory published on GitHub by the libsixel maintainers, the root cause is a logic error in the NULL check following a memory allocation call within the sixel_decode_raw and sixel_decode functions. Instead of checking the pointer returned by malloc, the code checks the address of the output parameter, which is always non-NULL. This means that when memory allocation fails, the code proceeds to dereference a NULL pointer, leading to a crash. The vulnerability is exploitable locally or via crafted SIXEL images that exhaust memory, but its impact is limited to denial of service.

Technical Analysis

The vulnerability resides in the memory allocation handling of libsixel's core decoding routines. In the functions sixel_decode_raw and sixel_decode, the library allocates memory using malloc and then attempts to verify the success of the allocation. The advisory (GHSA-wpx3-h5g8-qr3w) states that the check "tests the address of the output parameter (always non-NULL) instead of the value the malloc returned." This is a classic off-by-one logic error in error handling: the programmer intended to validate that the allocated buffer exists, but instead validated that the pointer-to-pointer argument passed to the function is not NULL — a condition that is always true in normal usage.

When malloc fails (e.g., due to memory exhaustion or an oversized image dimension), the returned pointer is NULL. Because the NULL check is misdirected, the code does not detect the failure and continues to write data through the NULL pointer. This results in a NULL pointer dereference, which on most operating systems causes a segmentation fault and process termination.

The affected versions span from the initial implementation up to 1.8.7-r1. The fix, presumably included in later releases, corrects the NULL check to compare the actual return value of malloc against NULL. The advisory does not specify a fixed version number, but users should upgrade to the latest release.

The CVSS 2.5 score reflects the low severity: the attack vector is local (AV:L) or requires user interaction to open a malformed SIXEL file (AC:L, PR:N, UI:R). The impact on availability is partial (A:L), with no impact on confidentiality or integrity (C:N, I:N). An attacker would need to convince a user to process a specially crafted SIXEL image, or exploit the vulnerability in a service that automatically decodes SIXEL data from untrusted sources.

Mitigations & Recommendations

Defenders should update libsixel to the latest version that includes the fix for CVE-2026-44638. As of this writing, the fixed version has not been explicitly tagged in the advisory, but the repository's commit history should contain the corrected NULL check. Users of systems that process SIXEL images from untrusted sources — such as terminal emulators, image viewers, or conversion tools — should prioritize this update. In environments where libsixel is used in a service context (e.g., a web application that converts uploaded images to SIXEL format), consider implementing memory limits or sandboxing the decoding process to mitigate the risk of denial-of-service attacks.