CVE-2025-29769Heap-based Buffer Overflow in Libvips

CWE-122Heap-based Buffer Overflow3 documents3 sources
Severity
8.5HIGHNVD
EPSS
0.1%
top 73.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LibvipsDebian VipsDebian Linux
Timeline
PublishedApr 7

Description

libvips is a demand-driven, horizontally threaded image processing library. The heifsave operation could incorrectly determine the presence of an alpha channel in an input when it was not possible to determine the colour interpretation, known internally within libvips as "multiband". There aren't many ways to create a "multiband" input, but it is possible with a well-crafted TIFF image. If a "multiband" TIFF input image had 4 channels and HEIF-based output was requested, this led to libvips crea

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDlibvips/libvips< 8.16.1
debiandebian/vips< vips 8.14.1-3+deb12u2 (bookworm)

Also affects: Debian Linux 11.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2025-29769: libvips is a demand-driven, horizontally threaded image processing library2025-04-07

📋Vendor Advisories

1
Debian
CVE-2025-29769: vips - libvips is a demand-driven, horizontally threaded image processing library. The...2025
CVE-2025-29769 — Heap-based Buffer Overflow in Libvips | cvebase