PatchSiren cyber security CVE debrief
CVE-2026-11623 tmux CVE debrief
CVE-2026-11623 is a use after free vulnerability in tmux up to 3.6a. The vulnerability is located in the image_free function of image.c and requires local access with high complexity to exploit. The vulnerability has a CVSS score of 1.1 and is considered low severity. The exploit has been publicly disclosed and can be used. Upgrading to version 3.7-rc addresses this issue with the patch fc6d94a9f8a593bd8b7031650802084385d4ee03.
- Vendor
- tmux
- Product
- tmux
- CVSS
- LOW 1.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of tmux up to version 3.6a should be aware of this vulnerability and take steps to upgrade to a patched version.
Technical summary
The vulnerability is a use after free issue in the image_free function of image.c in tmux up to 3.6a. This requires local access and has high complexity, making it difficult to exploit.
Defensive priority
Low
Recommended defensive actions
- Upgrade to tmux version 3.7-rc or later.
- Apply the patch fc6d94a9f8a593bd8b7031650802084385d4ee03.
Evidence notes
The CVE record and details were sourced from [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-11623) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-11623).
Official resources
CVE-2026-11623 was published on 2026-06-09T05:16:30.227Z and modified on 2026-06-09T13:33:34.393Z.