VYPR
← All advisories
Medium severity4.5NVD Advisory· Published Jun 9, 2026

CVE-2026-11623

CVE-2026-11623

Description

A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.

Affected products

1

Patches

1
fc6d94a9f8a5

Track which list (images or saved_images) each image is on so they can be

https://github.com/tmux/tmuxNicholas MarriottApr 27, 2026via body-scan
commit
3 files changed · +18 7
  • image.c+3 4 modified
    @@ -53,14 +53,12 @@ image_log(struct image *im, const char* from, const char* fmt, ...)
 static void
 image_free(struct image *im)
 {
-	struct screen	*s = im->s;
-
 	image_log(im, __func__, NULL);
 
 	TAILQ_REMOVE(&all_images, im, all_entry);
 	all_images_count--;
 
-	TAILQ_REMOVE(&s->images, im, entry);
+	TAILQ_REMOVE(im->list, im, entry);
 	sixel_free(im->data);
 	free(im->fallback);
 	free(im);
@@ -137,7 +135,8 @@ image_store(struct screen *s, struct sixel_image *si)
 	image_fallback(&im->fallback, im->sx, im->sy);
 
 	image_log(im, __func__, NULL);
-	TAILQ_INSERT_TAIL(&s->images, im, entry);
+	im->list = &s->images;
+	TAILQ_INSERT_TAIL(im->list, im, entry);
 
 	TAILQ_INSERT_TAIL(&all_images, im, all_entry);
 	if (++all_images_count == MAX_IMAGE_COUNT)
  • screen.c+12 2 modified
    @@ -657,7 +657,10 @@ screen_reflow(struct screen *s, u_int new_x, u_int *cx, u_int *cy, int cursor)
 void
 screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
 {
-	u_int	sx, sy;
+	u_int		 sx, sy;
+#ifdef ENABLE_SIXEL
+	struct image	*im;
+#endif
 
 	if (SCREEN_IS_ALTERNATE(s))
 		return;
@@ -674,6 +677,8 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
 
 #ifdef ENABLE_SIXEL
 	TAILQ_CONCAT(&s->saved_images, &s->images, entry);
+	TAILQ_FOREACH(im, &s->saved_images, entry)
+	    im->list = &s->saved_images;
 #endif
 
 	grid_view_clear(s->grid, 0, 0, sx, sy, 8);
@@ -686,7 +691,10 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
 void
 screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
 {
-	u_int	sx = screen_size_x(s), sy = screen_size_y(s);
+	u_int		 sx = screen_size_x(s), sy = screen_size_y(s);
+#ifdef ENABLE_SIXEL
+	struct image	*im;
+#endif
 
 	/*
 	 * If the current size is different, temporarily resize to the old size
@@ -733,6 +741,8 @@ screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
 #ifdef ENABLE_SIXEL
 	image_free_all(s);
 	TAILQ_CONCAT(&s->images, &s->saved_images, entry);
+	TAILQ_FOREACH(im, &s->images, entry)
+	    im->list = &s->images;
 #endif
 
 	if (s->cx > screen_size_x(s) - 1)
  • tmux.h+3 1 modified
    @@ -971,8 +971,10 @@ struct image {
 	u_int			 sx;
 	u_int			 sy;
 
-	TAILQ_ENTRY (image)	 all_entry;
+	struct images		*list;
 	TAILQ_ENTRY (image)	 entry;
+
+	TAILQ_ENTRY (image)	 all_entry;
 };
 TAILQ_HEAD(images, image);
 #endif

Vulnerability mechanics

Root cause

"The image_free function incorrectly removes images from the s->images list instead of the correct list (s->images or s->saved_images) after a screen alternate switch, leading to heap corruption and use-after-free."

Attack vector

An attacker can craft a Sixel sequence and trick a user into displaying it within a tmux pane. This sequence is processed by the tmux server, triggering the vulnerability. The vulnerability requires local access to the tmux pane, but the complexity is high, and exploitability is difficult [ref_id=1]. The attack can lead to a denial of service by crashing the tmux server, potentially allowing for arbitrary code execution through heap manipulation [ref_id=1].

Affected code

The vulnerability resides in the image_free function within image.c, which is responsible for deallocating Sixel image data. The issue is triggered by operations involving the screen_alternate_on and screen_alternate_off functions in screen.c, particularly when images are moved between the s->images and s->saved_images lists. The struct image definition in tmux.h was also modified to include a pointer to the list it belongs to.

What the fix does

The patch modifies the image_free function to use a new 'list' member within the struct image. This member correctly tracks which list (images or saved_images) an image belongs to. By using this pointer, image_free can now correctly remove the image from its actual list, preventing the corruption of list metadata and the subsequent use-after-free condition [patch_id=5312838]. Additionally, the screen_alternate_on and screen_alternate_off functions are updated to correctly set the 'list' member for images moved between s->images and s->saved_images [ref_id=2].

Preconditions

  • inputThe attacker must be able to inject a crafted Sixel sequence into a tmux pane.
  • configThe tmux binary must be compiled with Sixel support enabled.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.