Hi,

The following vulnerability was published for tmux.

CVE-2026-11623[0]:
| A security vulnerability has been detected in tmux up to 3.6a.
| Affected is the function image_free of the file image.c. Such
| manipulation leads to use after free. Local access is required to
| approach this attack. This attack is characterized by high
| complexity. The exploitability is told to be difficult. The exploit
| has been disclosed publicly and may be used. Upgrading to version
| 3.7-rc is able to address this issue. The name of the patch is
| fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component
| should be upgraded.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-11623
https://www.cve.org/CVERecord?id=CVE-2026-11623
[1] https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

This was fixed upstream in 3.6b with
https://github.com/tmux/tmux/commit/b8434182c9ead062be8d50a1ff88e98b41108c1f,
and integrated in 3.6b-1 with
https://salsa.debian.org/debian/tmux/-/commit/3a78785ba1a01def74d2b22258f6c1201be75517.

Cheers,