Heap-based buffer overflow in libcaca - CVE-2026-42046
Published: April 25, 2026
Vulnerability identifier: #VU127881
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-42046
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
libcaca
libcaca
Software vendor:
Caca Labs
Caca Labs
Description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow caused by integer overflow in the canvas import functions when parsing a crafted file in the "caca" format. A remote attacker can supply a specially crafted file to execute arbitrary code.
User interaction is required to open or import the crafted file, and the impact may depend on the build configuration and memory allocator.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.