cvedb.io
CVE-2026-44638
LOW · CVSS 2.5
EPSS exploitation probability: 0%
Published 2026-05-14T20:17:08.983 · Last modified 2026-06-17T10:51:10.527

Summary

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter (always non-NULL) instead of the value the malloc returned. On allocation failure, the function continues and writes through a NULL pointer, crashing the process. This is a denial of service against any caller of these public APIs that hits a low-memory condition. This vulnerability is fixed in 1.8.7-r2.

Affected products

saitoha — libsixel

Does this affect you?

Add your gear to cvedb and we'll alert you only when saitoha ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.