CVE-2026-3281 - Vulnerability Analysis
MediumCVSS: 5.3Last Updated: March 2, 2026
libvips - Buffer Overflow
Published: February 27, 2026Updated: March 2, 2026PoC Available
Overview
libvips 8.19.0 contains a heap-based buffer overflow caused by manipulation of the "index" argument in vips_bandrank_build function, letting local attackers cause memory corruption, exploit requires local access.
Severity & Score
Severity: Medium
CVSS Score: 5.3
Impact
Local attackers can cause memory corruption leading to potential denial of service or code execution.
Mitigation
Apply the patch fd28c5463697712cb0ab116a2c55e4f4d92c4088 or update to a fixed version.
References
- https://vuldb.com/?submit.758861
- https://github.com/libvips/libvips/
- https://github.com/libvips/libvips/commit/fd28c5463697712cb0ab116a2c55e4f4d92c4088
- https://github.com/libvips/libvips/issues/4878
- https://github.com/libvips/libvips/issues/4878#issue-3944209102
- https://github.com/libvips/libvips/pull/4895
- https://vuldb.com/?ctiid.348010
- https://vuldb.com/?id.348010
Related Resources
Details
- CVE ID
- CVE-2026-3281
- Severity
- Medium
- CVSS Score
- 5.3
- Type
- buffer_overflow
- Status
- confirmed
CWE
- CWE-119
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L