提出 #835623: tmux <= 3.6a Use After Free情報

タイトル	tmux <= 3.6a Use After Free
説明	tmux is a widely used terminal multiplexer that allows users to manage multiple sessions within a single terminal window. tmux supports the Sixel graphics protocol (requires the `--enable-sixel` compile flag, which is enabled by default on some platforms such as Homebrew), allowing terminal programs to output pixel images to panes via standard output. Pixel images are centrally managed by the tmux server. Each image structure is simultaneously linked into a global LRU linked list and a per-screen linked list (`s->images`). The global list enforces a total count limit (default 20); when exceeded, the oldest image is evicted. When a user switches to the alternate screen, tmux migrates all nodes from `s->images` to `s->saved_images` in bulk, but the references in the global LRU list remain unchanged. When LRU eviction occurs, the deallocation function `image_free` unconditionally performs a linked-list removal from `s->images`, without considering that the node may have already been migrated to `s->saved_images`. Performing a doubly-linked list removal on the wrong list corrupts the list metadata, producing a cross-list out-of-bounds write primitive. Meanwhile, the removed node is immediately freed, but the residual pointer in `s->saved_images` still points to the freed memory, constituting a use-after-free. An attacker can craft a specific byte sequence and trick a user into outputting it within a tmux pane (e.g., by having the user view a maliciously crafted file in a pane). This triggers the memory corruption in the tmux server process running in the user's environment, which can cause the tmux server process to crash, resulting in the loss of all user sessions and windows — a denial of service. The attacker may further exploit this UAF write primitive for heap layout manipulation to achieve arbitrary code execution.
ソース	⚠️ https://gist.github.com/XlabAITeam/f0d9952595f795129a3258ba73bbc3cb
ユーザー	XlabAI (UID 98448)
送信	2026年05月22日 08:31 (19 日 ago)
モデレーション	2026年06月08日 22:20 (18 days later)
ステータス	承諾済み
VulDBエントリ	369303 [tmux 迄 3.6a image.c image_free メモリ破損]
ポイント	20

◂ 前概要次 ▸

Interested in the pricing of exploits?

See the underground prices here!