{"id":"CVE-2026-44637","summary":"libsixel: integer overflow in parser","details":"libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From  to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context-\u003epos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression \"pos_x + repeat_count\" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize check that should reject oversized buffers can be bypassed, after which a subsequent write computes a large attacker-influenced offset into image-\u003edata and writes past the allocation. Reachable from any caller that decodes attacker-supplied SIXEL data, including img2sixel. This vulnerability is fixed in 1.8.7-r2.","aliases":["GHSA-9jm7-77gr-qghv"],"modified":"2026-07-08T08:09:36.537104469Z","published":"2026-05-14T20:02:32.034Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44637.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-190","CWE-787"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44637.json"},{"type":"ADVISORY","url":"https://github.com/saitoha/libsixel/security/advisories/GHSA-9jm7-77gr-qghv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44637"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saitoha/libsixel","events":[{"introduced":"361c78aeb8ea54ac25eb50aa22c976b5f48abffa"},{"fixed":"764f4e618c8bbc427fb74622e3227243fe6762fb"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"0.11.0"},{"fixed":"1.8.7-r2"}],"cpe":"cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44637.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"}]}