VYPR
Low severity2.5NVD Advisory· Published May 14, 2026· Updated May 15, 2026

CVE-2026-44638

CVE-2026-44638

Description

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter (always non-NULL) instead of the value the malloc returned. On allocation failure, the function continues and writes through a NULL pointer, crashing the process. This is a denial of service against any caller of these public APIs that hits a low-memory condition. This vulnerability is fixed in 1.8.7-r2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Saitoha/Libsixel2 versions
    cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*range: >=1.0.0,<1.8.7-r2
    • (no CPE)range: <=1.8.7-r1

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.