CVE-2026-3282 - Vulnerability Analysis
LowCVSS: 3.3Last Updated: March 2, 2026
libvips - Out of Bounds Read
Published: February 27, 2026Updated: March 2, 2026PoC Available
Overview
libvips 8.19.0 contains an out-of-bounds read caused by improper handling of the "alpha_band" argument in vips_unpremultiply_build function, letting local attackers read memory out of bounds, exploit requires local access.
Severity & Score
Severity: Low
CVSS Score: 3.3
Impact
Local attackers can read out-of-bounds memory, potentially exposing sensitive information or causing application crashes.
Mitigation
Apply patch 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91 or update to a fixed version.
References
- https://github.com/libvips/libvips/issues/4881
- https://github.com/libvips/libvips/issues/4881#issue-3944216443
- https://github.com/libvips/libvips/pull/4886
- https://vuldb.com/?ctiid.348011
- https://vuldb.com/?id.348011
- https://vuldb.com/?submit.758862
- https://github.com/libvips/libvips/
- https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91
Related Resources
Details
- CVE ID
- CVE-2026-3282
- Severity
- Low
- CVSS Score
- 3.3
- Type
- out_of_bounds_rw
- Status
- confirmed
CWE
- CWE-119
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N