SB20260425196 - Remote code execution in libcaca
Published: April 25, 2026
Security Bulletin ID
SB20260425196
CSH Severity
High
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Heap-based buffer overflow (CVE-ID: CVE-2026-42046)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow caused by integer overflow in the canvas import functions when parsing a crafted file in the "caca" format. A remote attacker can supply a specially crafted file to execute arbitrary code.
User interaction is required to open or import the crafted file, and the impact may depend on the build configuration and memory allocator.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.