CVE-2026-3281Improper Restriction of Operations within the Bounds of a Memory Buffer in Vips

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-122Heap-based Buffer Overflow5 documents5 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 98.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian VipsLibvips
Timeline
PublishedFeb 27

Description

A vulnerability was detected in libvips 8.19.0. This affects the function vips_bandrank_build of the file libvips/conversion/bandrank.c. Performing a manipulation of the argument index results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit is now public and may be used. The patch is named fd28c5463697712cb0ab116a2c55e4f4d92c4088. It is suggested to install a patch to address this issue.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDlibvips/libvips8.19.0
debiandebian/vips< vips 8.18.0-3 (forky)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-f98h-2fjh-775c: A vulnerability was detected in libvips 82026-02-27
OSV
CVE-2026-3281: A vulnerability was detected in libvips 82026-02-27

📋Vendor Advisories

1
Debian
CVE-2026-3281: vips - A vulnerability was detected in libvips 8.19.0. This affects the function vips_b...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-3281 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-3281 — Debian Vips vulnerability | cvebase