Home / Vulnerability Intelligence / CVE-2026-3146

CVE-2026-3146 - Vulnerability Analysis

LowCVSS: 3.3

Last Updated: February 25, 2026

libvips - Denial of Service

Published: February 25, 2026Updated: February 25, 2026PoC Available

Overview

libvips <= 8.18.0 contains a null pointer dereference caused by improper handling in vips_foreign_load_matrix_header function, letting local attackers cause denial of service, exploit requires local access.

Severity & Score

Severity: Low

CVSS Score: 3.3

Impact

Local attackers can cause denial of service by crashing the application via null pointer dereference.

Mitigation

Apply the patch identified by d4ce337c76bff1b278d7085c3c4f4725e3aa6ece or update to a version later than 8.18.0.

References

https://github.com/libvips/libvips/pull/4888
https://vuldb.com/?ctiid.347652
https://vuldb.com/?id.347652
https://vuldb.com/?submit.758691
https://github.com/libvips/libvips/
https://github.com/libvips/libvips/commit/d4ce337c76bff1b278d7085c3c4f4725e3aa6ece
https://github.com/libvips/libvips/issues/4875

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-3146
Severity: Low
CVSS Score: 3.3
Type: null_pointer_dereference
Status: confirmed

CWE

CWE-404

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L