CVE-2026-3283Improper Restriction of Operations within the Bounds of a Memory Buffer in Vips

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-125Out-of-bounds Read5 documents5 sources
Severity
1.9LOWNVD
EPSS
0.0%
top 96.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian VipsLibvips
Timeline
PublishedFeb 27

Description

A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDlibvips/libvips8.19.0
debiandebian/vips< vips 8.18.0-3 (forky)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-93j6-h3cr-cp28: A vulnerability has been found in libvips 82026-02-27
OSV
CVE-2026-3283: A vulnerability has been found in libvips 82026-02-27

📋Vendor Advisories

1
Debian
CVE-2026-3283: vips - A vulnerability has been found in libvips 8.19.0. This issue affects the functio...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-3283 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-3283 — Debian Vips vulnerability | cvebase