CVE-2026-3283 - Vulnerability Analysis
LowCVSS: 3.3Last Updated: March 2, 2026
libvips - Out of Bounds Read
Published: February 27, 2026Updated: March 2, 2026PoC Available
Overview
libvips 8.19.0 contains an out-of-bounds read caused by improper handling of the extract_band argument in vips_extract_band_build function, letting local attackers read memory out of bounds, exploit requires local access.
Severity & Score
Severity: Low
CVSS Score: 3.3
Impact
Local attackers can read out-of-bounds memory, potentially exposing sensitive information or causing crashes.
Mitigation
Apply the patch identified by 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 or update to the latest version.
References
- https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70
- https://github.com/libvips/libvips/issues/4880
- https://github.com/libvips/libvips/issues/4880#issue-3944214985
- https://github.com/libvips/libvips/pull/4887
- https://vuldb.com/?ctiid.348012
- https://vuldb.com/?id.348012
- https://vuldb.com/?submit.758863
- https://github.com/libvips/libvips/
Related Resources
Details
- CVE ID
- CVE-2026-3283
- Severity
- Low
- CVSS Score
- 3.3
- Type
- out_of_bounds_rw
- Status
- confirmed
CWE
- CWE-119
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N