CVE-2026-3283 - Vulnerability Details

- libvips extract.c vips_extract_band_build out-of-bounds

Description

A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.

Published: 2026-02-27

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in libvips 8.19.0 within the function vips_extract_band_build, where manipulation of the extract_band argument results in an out-of-bounds read. This flaw corresponds to the weaknesses CWE-119 and CWE-125. An attacker can read memory beyond the intended bounds, potentially exposing sensitive data or causing a crash. The impact is limited to a local context, as the exploit requires local code execution to manipulate the argument.

Affected Systems

The only affected version explicitly identified is libvips 8.19.0. The library is distributed as libvips 8.19.0, and earlier or later releases are not listed as impacted in the provided data.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score of less than 1 % implies a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the attack vector is local and requires manipulation of the extract_band argument, the risk to systems that do not provide local privilege to attackers is limited, but systems that allow local code execution may be able to exploit this defect to read sensitive memory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

libvips

affected

Version	Status	Constraints
`8.19.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:libvips:libvips:8.19.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Libvips

95%

Version	Status	Scheme	Platform
`8.19.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch referenced by commit 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 to libvips 8.19.0
Upgrade libvips to a newer release beyond 8.19.0 that includes the fix
Validate and constrain the extract_band input provided to vips_extract_band_build to prevent out-of-bounds read

Generated by OpenCVE AI on April 16, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/libvips/libvips/
https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70
https://github.com/libvips/libvips/issues/4880
https://github.com/libvips/libvips/issues/4880#issue-3944214985
https://github.com/libvips/libvips/pull/4887
https://vuldb.com/?ctiid.348012
https://vuldb.com/?id.348012
https://vuldb.com/?submit.758863

History

Mon, 02 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:libvips:libvips:8.19.0:::::::*

Fri, 27 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.
Title		libvips extract.c vips_extract_band_build out-of-bounds
First Time appeared		Libvips Libvips libvips
Weaknesses		CWE-119 CWE-125
CPEs		cpe:2.3:a:libvips:libvips::::::::
Vendors & Products		Libvips Libvips libvips
References		https://github.com/libvips/libvips/ https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 https://github.com/libvips/libvips/issues/4880 https://github.com/libvips/libvips/issues/4880#issue-3944214985 https://github.com/libvips/libvips/pull/4887 https://vuldb.com/?ctiid.348012 https://vuldb.com/?id.348012 https://vuldb.com/?submit.758863
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Libvips Libvips

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-27T02:32:12.328Z

Updated: 2026-02-27T18:49:14.477Z

Reserved: 2026-02-26T16:33:06.437Z

Link: CVE-2026-3283

Vulnrichment

Updated: 2026-02-27T18:49:10.820Z

NVD

Status : Analyzed

Published: 2026-02-27T03:16:02.940

Modified: 2026-03-02T17:56:47.813

Link: CVE-2026-3283

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object