Cyber Resilience

CVE-2026-3145

MediumPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 5.6th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3145 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Libvips Libvips. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3145 is a memory corruption vulnerability (CWE-119) affecting libvips versions up to and including 8.18.0. The flaw resides in the functions vips_foreign_load_matrix_file_is_a and vips_foreign_load_matrix_header within the file libvips/foreign/matrixload.c. This issue can be triggered by executing a manipulation that leads to memory corruption.

The vulnerability has a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating a medium severity local attack. An attacker with low privileges on the affected system can exploit it without user interaction, achieving low impacts on confidentiality, integrity, and availability through memory corruption.

Mitigation is available via the patch commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece in the libvips GitHub repository. Additional details are provided in GitHub issue #4876 and pull request #4888, with further information on VulDB (ctiid.347651). Security practitioners should update to a patched version of libvips beyond 8.18.0.

EU & UK References

Vulnerability details

A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack needs to be launched locally. This patch is called…

more

d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. A patch should be applied to remediate this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption (CWE-119) in a library parsing function allows a low-privileged attacker to trigger corruption without user interaction; this directly enables exploitation for privilege escalation within the affected process context.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3147Same product: Libvips Libvips
CVE-2026-3281Same product: Libvips Libvips
CVE-2026-3282Same product: Libvips Libvips
CVE-2026-3283Same product: Libvips Libvips
CVE-2024-47796Shared CWE-119
CVE-2026-22167Shared CWE-119
CVE-2025-15411Shared CWE-119
CVE-2026-20700Shared CWE-119
CVE-2024-44238Shared CWE-119
CVE-2023-49618Shared CWE-119

Affected Assets

libvips
libvips
≤ 8.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (commit d4ce337c) that eliminates the memory-corruption flaw in matrixload.c.

prevent

Implements OS- or language-level memory protections that can block or contain the buffer corruption triggered by the matrix header parsing functions.

detect

Enables integrity verification of the libvips binary and libraries, detecting unauthorized or unpatched versions that still contain the vulnerable code.

References