📢 Clarification Notice (CVE-2025-9300)

[saitoha]

TL;DR:

CVE-2025-9300 is a one-byte Buffer Over-read (CWE-126) in a debug-only path of img2sixel, reachable only when -v / --verbose is enabled.
It performs no writes and provides no viable path to RCE. No stack buffers are involved—the palette data is either heap-allocated (malloc) or a static const unsigned char[] built-in.

Note: some third-party posts have mischaracterized this as RCE (see examples in the Timeline below). No emergency response is required.

• Issue: LibSixel img2sixel Heap Buffer Overflow in Debug Palette Function #200
• Fix: 316c086

---

Technical summary

• The over-read occurs in sixel_debug_print_palette when verbose logging is enabled.
• Behavior: read 1 byte past the palette buffer, then fprintf to the terminal.
• Impact at worst: a crash or trivial information disclosure during verbose debug output.
• There is no arbitrary write and no control-flow corruption primitive.

Why this is not RCE

• No write-based overflow, no memory corruption, no format-string abuse.
• The code path is only reached with -v/--verbose.
• Implementation detail: the palette resides in heap memory (from malloc) or in static const unsigned char[] tables; no stack buffer is used.

Correct CWE classification

• Preferred: CWE-126: Buffer Over-read
  • Reads past the end of a buffer; exactly matches a 1-byte over-read of a palette array.
• (Parent) CWE-125: Out-of-Bounds Read
  • Broader category under which CWE-126 falls.
• Not appropriate here: CWE-121: Stack-based Buffer Overflow (write-based, stack-resident)
  • This issue is read-only and not stack-based.

References:

• CWE-126: https://cwe.mitre.org/data/definitions/126.html
• CWE-125: https://cwe.mitre.org/data/definitions/125.html
• CWE-121: https://cwe.mitre.org/data/definitions/121.html
• MITRE mapping guidance (prefer specific Base/Variant where possible):
  https://cwe.mitre.org/documents/cwe_usage/mapping_examples.html

---

Timeline (how the confusion arose)

• Possible origin (presentation): Some databases present this CVE as a “stack-based buffer overflow (CWE-121)”, which can lead readers to assume write-based overflow and potential code execution:
  • NVD page: https://nvd.nist.gov/vuln/detail/CVE-2025-9300
• Additional coverage suggesting code execution:
  • Wiz: suggests it could “potentially [lead] to … code execution” while rating it Medium.
    https://www.wiz.io/vulnerability-database/cve/cve-2025-9300
  • OffSeq Threat Radar: frames it as a “stack-based buffer overflow” and says it could “potentially [lead] to arbitrary code execution.”
    https://radar.offseq.com/threat/cve-2025-9300-stack-based-buffer-overflow-in-saito-168036dc
  • VulDB: uses the “stack-based buffer overflow” framing and calls it “critical” in summary while showing a Medium CVSS—this mixed presentation likely added to the confusion.
    https://vuldb.com/?id.320905
• Secondary coverage (blog): likely influenced by that framing, one blog asserted:
  • “…allows remote code execution via crafted images … patch immediately …” and
  • “…execute arbitrary code … simply by tricking a user into processing a maliciously crafted image file.”
    Source: https://portallinuxferramentas.blogspot.com/2025/09/critical-security-alert-mitigating.html
• Media headlines: one outlet ran “Fedora 42: Critical Buffer Overflow Fix …” and another page “Fedora 41: … Important Buffer Overflow Fix …”; the body of both simply relays “Apply fix for CVE-2025-9300.”
  • F42 headline: https://linuxsecurity.com/advisories/fedora/fedora-42-libsixel-2025-691c5cb4f4-sp0m1bgtuf9y
  • F41 headline: https://linuxsecurity.com/advisories/fedora/fedora-41-libsixel-2025-4647d515fc-hgtrhyz0ntwq
• Distro updates: Fedora shipped routine security updates that apply the fix (not an emergency “RCE patch”):
  • Fedora 41 — FEDORA-2025-4647d515fc (libsixel-1.10.5-3.fc41):
    https://bodhi.fedoraproject.org/updates/FEDORA-2025-4647d515fc
  • Fedora 42 — FEDORA-2025-691c5cb4f4 (libsixel-1.10.5-4.fc42):
    https://bodhi.fedoraproject.org/updates/FEDORA-2025-691c5cb4f4

---

Operational guidance

• No urgent patching or emergency response is required.
• Unless -v/--verbose is used, typical conversions are unaffected.