CVE-2026-3147
MEDIUMlibvips < 8.18.0 - Heap-Based Buffer Overflow in CSV Load Function
Title source: llmDescription
A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.
References (8)
Core 8
Core References
Various Sources product
https://github.com/libvips/libvips/
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.347653
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.347653
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.758692
Issue Tracking issue-tracking
https://github.com/libvips/libvips/issues/4874
Issue Tracking issue-tracking
patch
https://github.com/libvips/libvips/pull/4894
Issue Tracking exploit
issue-tracking
https://github.com/libvips/libvips/issues/4874#issue-3943617697
Scores
CVSS v3
5.3
EPSS
0.0021
EPSS Percentile
11.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
CWE-122
Status
published
Products (1)
libvips/libvips
< 8.18.0
Published
Feb 25, 2026
Tracked Since
Feb 25, 2026