CVE-2026-3147

Summary

A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.

Affected Software

VendorProductVersion RangeStatus
n/alibvips8.0affected
n/alibvips8.1affected
n/alibvips8.2affected
n/alibvips8.3affected
n/alibvips8.4affected
n/alibvips8.5affected
n/alibvips8.6affected
n/alibvips8.7affected
n/alibvips8.8affected
n/alibvips8.9affected
n/alibvips8.10affected
n/alibvips8.11affected
n/alibvips8.12affected
n/alibvips8.13affected
n/alibvips8.14affected
n/alibvips8.15affected
n/alibvips8.16affected
n/alibvips8.17affected
n/alibvips8.18.0affected

Weaknesses

  • CWE-122: Heap-based Buffer Overflow
  • CWE-119: Memory Corruption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References