Vulnerability Details CVE-2026-3146
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. To fix this issue, it is recommended to deploy a patch.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.0%
CVSS Severity
CVSS v3 Score 3.3
CVSS v2 Score 1.7
References
- https://github.com/libvips/libvips/
- https://github.com/libvips/libvips/commit/d4ce337c76bff1b278d7085c3c4f4725e3aa6ece
- https://github.com/libvips/libvips/issues/4875
- https://github.com/libvips/libvips/pull/4888
- https://vuldb.com/?ctiid.347652
- https://vuldb.com/?id.347652
- https://vuldb.com/?submit.758691
- https://github.com/libvips/libvips/issues/4875
Products affected by CVE-2026-3146
-
cpe:2.3:a:libvips:libvips:7.28.0
-
cpe:2.3:a:libvips:libvips:7.30.0
-
cpe:2.3:a:libvips:libvips:8.0
-
cpe:2.3:a:libvips:libvips:8.1
-
cpe:2.3:a:libvips:libvips:8.10.0
-
cpe:2.3:a:libvips:libvips:8.10.1
-
cpe:2.3:a:libvips:libvips:8.10.2
-
cpe:2.3:a:libvips:libvips:8.10.3
-
cpe:2.3:a:libvips:libvips:8.10.4
-
cpe:2.3:a:libvips:libvips:8.10.5
-
cpe:2.3:a:libvips:libvips:8.10.6
-
cpe:2.3:a:libvips:libvips:8.11.0
-
cpe:2.3:a:libvips:libvips:8.11.1
-
cpe:2.3:a:libvips:libvips:8.11.2
-
cpe:2.3:a:libvips:libvips:8.11.3
-
cpe:2.3:a:libvips:libvips:8.11.4
-
cpe:2.3:a:libvips:libvips:8.12.0
-
cpe:2.3:a:libvips:libvips:8.12.1
-
cpe:2.3:a:libvips:libvips:8.12.2
-
cpe:2.3:a:libvips:libvips:8.13.0
-
cpe:2.3:a:libvips:libvips:8.13.1
-
cpe:2.3:a:libvips:libvips:8.13.2
-
cpe:2.3:a:libvips:libvips:8.13.3
-
cpe:2.3:a:libvips:libvips:8.14.0
-
cpe:2.3:a:libvips:libvips:8.14.1
-
cpe:2.3:a:libvips:libvips:8.14.2
-
cpe:2.3:a:libvips:libvips:8.14.3
-
cpe:2.3:a:libvips:libvips:8.14.4
-
cpe:2.3:a:libvips:libvips:8.14.5
-
cpe:2.3:a:libvips:libvips:8.15.0
-
cpe:2.3:a:libvips:libvips:8.15.1
-
cpe:2.3:a:libvips:libvips:8.15.2
-
cpe:2.3:a:libvips:libvips:8.15.3
-
cpe:2.3:a:libvips:libvips:8.15.4
-
cpe:2.3:a:libvips:libvips:8.15.5
-
cpe:2.3:a:libvips:libvips:8.16.0
-
cpe:2.3:a:libvips:libvips:8.16.1
-
cpe:2.3:a:libvips:libvips:8.17.0
-
cpe:2.3:a:libvips:libvips:8.17.1
-
cpe:2.3:a:libvips:libvips:8.17.2
-
cpe:2.3:a:libvips:libvips:8.17.3
-
cpe:2.3:a:libvips:libvips:8.18.0
-
cpe:2.3:a:libvips:libvips:8.2.2
-
cpe:2.3:a:libvips:libvips:8.2.3
-
cpe:2.3:a:libvips:libvips:8.3.0
-
cpe:2.3:a:libvips:libvips:8.4.2
-
cpe:2.3:a:libvips:libvips:8.4.6
-
cpe:2.3:a:libvips:libvips:8.5.1
-
cpe:2.3:a:libvips:libvips:8.5.2
-
cpe:2.3:a:libvips:libvips:8.5.3
-
cpe:2.3:a:libvips:libvips:8.5.4
-
cpe:2.3:a:libvips:libvips:8.5.5
-
cpe:2.3:a:libvips:libvips:8.5.6
-
cpe:2.3:a:libvips:libvips:8.5.7
-
cpe:2.3:a:libvips:libvips:8.5.8
-
cpe:2.3:a:libvips:libvips:8.5.9
-
cpe:2.3:a:libvips:libvips:8.6.0
-
cpe:2.3:a:libvips:libvips:8.6.1
-
cpe:2.3:a:libvips:libvips:8.6.2
-
cpe:2.3:a:libvips:libvips:8.6.3
-
cpe:2.3:a:libvips:libvips:8.6.4
-
cpe:2.3:a:libvips:libvips:8.6.5
-
cpe:2.3:a:libvips:libvips:8.7.0
-
cpe:2.3:a:libvips:libvips:8.7.1
-
cpe:2.3:a:libvips:libvips:8.7.2
-
cpe:2.3:a:libvips:libvips:8.7.3
-
cpe:2.3:a:libvips:libvips:8.7.4
-
cpe:2.3:a:libvips:libvips:8.8.0
-
cpe:2.3:a:libvips:libvips:8.8.1
-
cpe:2.3:a:libvips:libvips:8.8.2
-
cpe:2.3:a:libvips:libvips:8.8.3
-
cpe:2.3:a:libvips:libvips:8.8.4
-
cpe:2.3:a:libvips:libvips:8.9.0
-
cpe:2.3:a:libvips:libvips:8.9.1
-
cpe:2.3:a:libvips:libvips:8.9.2