CVE-2026-2913Improper Restriction of Operations within the Bounds of a Memory Buffer in Vips

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-122Heap-based Buffer OverflowCWE-131Incorrect Calculation of Buffer Size6 documents6 sources
Severity
2.0LOWNVD
EPSS
0.0%
top 93.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian VipsLibvips
Timeline
PublishedFeb 22

Description

A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vips_source_read_to_memory of the file libvips/iofuncs/source.c. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the recomme

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDlibvips/libvips8.19.0
CVEListV5libvips/libvips20 versions+19
debiandebian/vips< vips 8.18.0-2 (forky)

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
CVE-2026-2913: A vulnerability was determined in libvips up to 82026-02-22
GHSA
GHSA-qjwf-h778-47mm: A vulnerability was determined in libvips up to 82026-02-22

📋Vendor Advisories

2
Red Hat
libvips: libvips: Denial of Service via heap-based buffer overflow in vips_source_read_to_memory2026-02-22
Debian
CVE-2026-2913: vips - A vulnerability was determined in libvips up to 8.19.0. The affected element is ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-2913 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-2913 — Debian Vips vulnerability | cvebase