HOMEVULNERABILITIESCVE-2026-44638
LOW

CVE-2026-44638

CWE-476Published: May 14, 2026· Updated: May 15, 2026

2.5
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:1.9th

Official Description

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter (always non-NULL) instead of the value the malloc returned. On allocation failure, the function continues and writes through a NULL pointer, crashing the process. This is a denial of service against any caller of these public APIs that hits a low-memory condition. This vulnerability is fixed in 1.8.7-r2.

NVD Source

Technical Analysis

CVE-2026-44638 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityHigh
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityLow
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Affected Vendors & Products

saitoha1 product
libsixel
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (2)

Quick Facts

CVE IDCVE-2026-44638
CVSS Score2.5 / 10
SeverityLOW
WeaknessCWE-476
CISA KEVNo
EPSS (30d)0.01%
Affected1 vendor
PublishedMay 14, 2026

Related CVEs (CWE-476)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-44638 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.
CVE-2026-44638 — CVSS 2.5 LOW | CTIWATCH.COM