CVE-2026-3284 - Vulnerability Analysis
LowCVSS: 3.3Last Updated: March 2, 2026
libvips - Integer Overflow
Published: February 27, 2026Updated: March 2, 2026PoC Available
Overview
libvips 8.19.0 contains an integer overflow caused by manipulation of the extract_area argument in vips_extract_area_build function, letting local attackers cause memory corruption, exploit requires local access.
Severity & Score
Severity: Low
CVSS Score: 3.3
Impact
Local attackers can cause memory corruption, potentially leading to denial of service or code execution.
Mitigation
Apply the patch identified as 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 or update to the latest version.
References
- https://github.com/libvips/libvips/pull/4887
- https://vuldb.com/?ctiid.348013
- https://vuldb.com/?id.348013
- https://vuldb.com/?submit.758864
- https://github.com/libvips/libvips/
- https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70
- https://github.com/libvips/libvips/issues/4879
- https://github.com/libvips/libvips/issues/4879#issue-3944211794
Related Resources
Details
- CVE ID
- CVE-2026-3284
- Severity
- Low
- CVSS Score
- 3.3
- Type
- integer_overflow
- Status
- confirmed
CWE
- CWE-189
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L