Description
A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.
Published: 2026-02-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap-based Buffer Overflow
Action: Apply Patch
AI Analysis

Impact

A heap-based buffer overflow is triggered in the vips_foreign_load_csv_build function when libvips processes a specially crafted CSV file. Because the overflow corrupts adjacent heap memory, the program may crash; based on the description, it is inferred that an attacker with sufficient privileges could potentially achieve arbitrary code execution if the overflow is exploited. The vulnerability is strictly local, requiring the attacker to supply the malformed CSV input to a process that uses libvips.

Affected Systems

All releases of libvips up to and including version 8.18.0 are affected. The issue is tied to the csvload.c component of libvips and is addressed in commit b3ab458a25e0e261cbd1788474bbc763f7435780. Users should review their installed libvips version and ensure it is updated beyond 8.18.0 or contains the patched source.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate risk, while the EPSS score of less than 1% signals that publicly known exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw is local and requires CSV parsing, the likelihood of exploitation is limited, but the availability of public exploit code means a cautious approach is warranted.

Generated by OpenCVE AI on April 18, 2026 at 10:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libvips to version 8.19.0 or later, or apply the patch commit b3ab458a25e0e261cbd1788474bbc763f7435780 to the csvload.c source
  • Verify that all binaries and libraries linking against libvips are rebuilt to use the updated or patched version
  • If patching cannot occur immediately, restrict local file system access for any applications that parse CSV files with libvips to limit the attack surface

Generated by OpenCVE AI on April 18, 2026 at 10:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.
Title libvips csvload.c vips_foreign_load_csv_build heap-based overflow
First Time appeared Libvips
Libvips libvips
Weaknesses CWE-119
CWE-122
CPEs cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*
Vendors & Products Libvips
Libvips libvips
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Libvips Libvips
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T15:32:34.675Z

Reserved: 2026-02-24T19:53:50.410Z

Link: CVE-2026-3147

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:05.670

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses