Description
A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vips_source_read_to_memory of the file libvips/iofuncs/source.c. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the recommended action to fix this issue. The confirmation of the bugfix mentions: "[T]he impact of this is negligible, since this only affects custom seekable sources larger than 4 GiB (and the crash occurs in user code rather than libvips itself)."
Published: 2026-02-22
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Application crash or denial of service via heap-based buffer overflow
Action: Apply Patch
AI Analysis

Impact

A heap-based buffer overflow occurs in the vips_source_read_to_memory function of libvips when handling custom seekable sources larger than 4 GiB. The overflow can corrupt memory in user code, leading to a crash. The vulnerability is owned by the local host, requires complex manipulation, and is difficult to exploit. The potential impact is limited to denial of service or instability in applications that rely on libvips, as the crash occurs in user space rather than the library itself.

Affected Systems

The vulnerability affects all versions of libvips up to and including 8.19.0. It is distributed under the name libvips. No specific vendor or product hierarchy beyond the library itself is cited, and no newer versions are listed as affected in the available data.

Risk and Exploitability

The CVSS score is 2.0, indicating a low overall severity. The EPSS score of less than 1 % shows a very low probability of exploitation in the wild. The vulnerability is not present in CISA’s KEV catalog. Exploitation requires local access and is designated as high complexity and difficult. Attack vectors are therefore limited to trusted local environments, and the assumption of remote impact is not supported by the data.

Generated by OpenCVE AI on April 18, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch identified by commit a56feecbe9ed66521d9647ec9fbcd2546eccd7ee to correct the buffer overflow logic
  • Rebuild and reinstall libvips to ensure the patch is applied to all uses
  • Deploy a newer libvips release that incorporates the fix; if unavailable, restrict use of custom seekable sources larger than 4 GiB in your local environment until the patch is applied

Generated by OpenCVE AI on April 18, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 22 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vips_source_read_to_memory of the file libvips/iofuncs/source.c. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the recommended action to fix this issue. The confirmation of the bugfix mentions: "[T]he impact of this is negligible, since this only affects custom seekable sources larger than 4 GiB (and the crash occurs in user code rather than libvips itself)."
Title libvips source.c vips_source_read_to_memory heap-based overflow
First Time appeared Libvips
Libvips libvips
Weaknesses CWE-119
CWE-122
CPEs cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*
Vendors & Products Libvips
Libvips libvips
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Libvips Libvips
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:14:30.241Z

Reserved: 2026-02-20T20:20:44.103Z

Link: CVE-2026-2913

cve-icon Vulnrichment

Updated: 2026-02-23T19:14:21.018Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-22T04:15:59.790

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2913

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-22T04:02:13Z

Links: CVE-2026-2913 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses