CVE-2026-3145
Published: 25 February 2026
Summary
CVE-2026-3145 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Libvips Libvips. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-3145 is a memory corruption vulnerability (CWE-119) affecting libvips versions up to and including 8.18.0. The flaw resides in the functions vips_foreign_load_matrix_file_is_a and vips_foreign_load_matrix_header within the file libvips/foreign/matrixload.c. This issue can be triggered by executing a manipulation that leads to memory corruption.
The vulnerability has a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating a medium severity local attack. An attacker with low privileges on the affected system can exploit it without user interaction, achieving low impacts on confidentiality, integrity, and availability through memory corruption.
Mitigation is available via the patch commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece in the libvips GitHub repository. Additional details are provided in GitHub issue #4876 and pull request #4888, with further information on VulDB (ctiid.347651). Security practitioners should update to a patched version of libvips beyond 8.18.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8586
Vulnerability details
A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack needs to be launched locally. This patch is called…
more
d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. A patch should be applied to remediate this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (CWE-119) in a library parsing function allows a low-privileged attacker to trigger corruption without user interaction; this directly enables exploitation for privilege escalation within the affected process context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (commit d4ce337c) that eliminates the memory-corruption flaw in matrixload.c.
Implements OS- or language-level memory protections that can block or contain the buffer corruption triggered by the matrix header parsing functions.
Enables integrity verification of the libvips binary and libraries, detecting unauthorized or unpatched versions that still contain the vulnerable code.