UBUNTU-CVE-2026-33023
- Source
- https://ubuntu.com/security/CVE-2026-33023
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33023.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-33023
- Upstream
- Published
- 2026-04-14T23:16:00Z
- Modified
- 2026-04-16T11:05:00.893787Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in loadwithgdkpixbuf() in loader.c. The cleanup path manually frees the sixelframet object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixelframenew() and exposed to the public callback. A callback that calls sixelframeref(frame) to retain a logically valid reference will hold a dangling pointer after sixelhelperloadimagefile() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixelframeunref() is used in loadwithbuiltin() but raw free() is used in loadwithgdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.
- References
Affected packages
Ubuntu:16.04:LTS
libsixel
Package
- Name
- libsixel
- Purl
- pkg:deb/ubuntu/libsixel@1.5.2-2?arch=source&distro=xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:18.04:LTS
libsixel
Package
- Name
- libsixel
- Purl
- pkg:deb/ubuntu/libsixel@1.7.3-1?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:20.04:LTS
libsixel
Package
- Name
- libsixel
- Purl
- pkg:deb/ubuntu/libsixel@1.8.2-2.1?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "1.8.2-2.1",
"binary_name": "libsixel-bin"
},
{
"binary_version": "1.8.2-2.1",
"binary_name": "libsixel-dev"
},
{
"binary_version": "1.8.2-2.1",
"binary_name": "libsixel-examples"
},
{
"binary_version": "1.8.2-2.1",
"binary_name": "libsixel1"
}
]
}Ubuntu:22.04:LTS
libsixel
Package
- Name
- libsixel
- Purl
- pkg:deb/ubuntu/libsixel@1.10.3-3?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:24.04:LTS
libsixel
Package
- Name
- libsixel
- Purl
- pkg:deb/ubuntu/libsixel@1.10.3-3build1?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "1.10.3-3build1",
"binary_name": "libsixel-bin"
},
{
"binary_version": "1.10.3-3build1",
"binary_name": "libsixel-dev"
},
{
"binary_version": "1.10.3-3build1",
"binary_name": "libsixel-examples"
},
{
"binary_version": "1.10.3-3build1",
"binary_name": "libsixel1"
}
]
}Ubuntu:25.10
libsixel
Package
- Name
- libsixel
- Purl
- pkg:deb/ubuntu/libsixel@1.10.5-1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected