CVE-2026-3146

Summary

A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. To fix this issue, it is recommended to deploy a patch.

Affected Software

VendorProductVersion RangeStatus
n/alibvips8.0affected
n/alibvips8.1affected
n/alibvips8.2affected
n/alibvips8.3affected
n/alibvips8.4affected
n/alibvips8.5affected
n/alibvips8.6affected
n/alibvips8.7affected
n/alibvips8.8affected
n/alibvips8.9affected
n/alibvips8.10affected
n/alibvips8.11affected
n/alibvips8.12affected
n/alibvips8.13affected
n/alibvips8.14affected
n/alibvips8.15affected
n/alibvips8.16affected
n/alibvips8.17affected
n/alibvips8.18.0affected

Weaknesses

  • CWE-476: NULL Pointer Dereference
  • CWE-404: Denial of Service

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References