tmux Use-After-Free Vulnerability in Sixel Image Handling

A use-after-free vulnerability has been identified in tmux versions through 3.6a. The issue arises in the 'image_free' function within 'image.c', where improper management of image data linked to the Sixel graphics protocol can lead to memory corruption. This vulnerability requires local access to exploit and is characterized by high complexity. When the global image count limit is exceeded, the oldest image is evicted, but references in the per-screen list are not updated, creating a potential for exploitation.

Impact

Exploitation of this vulnerability can cause the tmux server process to crash, leading to a denial-of-service condition where all user sessions and windows are lost. Additionally, the memory corruption could be manipulated for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by crafting a specific byte sequence and outputting it within a tmux pane, such as by viewing a maliciously crafted file. This triggers the memory corruption in the tmux server process, which can then be exploited to execute arbitrary code.

Remediation

Users can upgrade to tmux version 3.6b or later to address this vulnerability.