CVE-2026-3145
Published: 25 February 2026
Summary
CVE-2026-3145 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Libvips Libvips. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (CWE-119) in a library parsing function allows a low-privileged attacker to trigger corruption without user interaction; this directly enables exploitation for privilege escalation within the affected process context.
NVD Description
A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack needs to be launched locally. This patch is called…
more
d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. A patch should be applied to remediate this issue.
Deeper analysisAI
CVE-2026-3145 is a memory corruption vulnerability (CWE-119) affecting libvips versions up to and including 8.18.0. The flaw resides in the functions vips_foreign_load_matrix_file_is_a and vips_foreign_load_matrix_header within the file libvips/foreign/matrixload.c. This issue can be triggered by executing a manipulation that leads to memory corruption.
The vulnerability has a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating a medium severity local attack. An attacker with low privileges on the affected system can exploit it without user interaction, achieving low impacts on confidentiality, integrity, and availability through memory corruption.
Mitigation is available via the patch commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece in the libvips GitHub repository. Additional details are provided in GitHub issue #4876 and pull request #4888, with further information on VulDB (ctiid.347651). Security practitioners should update to a patched version of libvips beyond 8.18.0.
Details
- CWE(s)