CVE-2026-3147 - Vulnerability Analysis
MediumCVSS: 5.3Last Updated: February 25, 2026
libvips - Buffer Overflow
Published: February 25, 2026Updated: February 25, 2026PoC Available
Overview
libvips <= 8.18.0 contains a heap-based buffer overflow caused by improper handling in vips_foreign_load_csv_build function in libvips/foreign/csvload.c, letting local attackers cause memory corruption, exploit requires local access.
Severity & Score
Severity: Medium
CVSS Score: 5.3
Impact
Local attackers can cause memory corruption leading to potential code execution or denial of service.
Mitigation
Apply patch b3ab458a25e0e261cbd1788474bbc763f7435780 or update to a version later than 8.18.0.
References
- https://github.com/libvips/libvips/
- https://github.com/libvips/libvips/commit/b3ab458a25e0e261cbd1788474bbc763f7435780
- https://github.com/libvips/libvips/issues/4874
- https://github.com/libvips/libvips/issues/4874#issue-3943617697
- https://github.com/libvips/libvips/pull/4894
- https://vuldb.com/?ctiid.347653
- https://vuldb.com/?id.347653
- https://vuldb.com/?submit.758692
Related Resources
Details
- CVE ID
- CVE-2026-3147
- Severity
- Medium
- CVSS Score
- 5.3
- Type
- buffer_overflow
- Status
- confirmed
CWE
- CWE-119
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L