CVE-2026-3147
Published: 25 February 2026
Summary
CVE-2026-3147 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Libvips Libvips. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in local CSV processing enables local low-privileged attacker to corrupt memory and execute code via crafted file, directly facilitating privilege escalation.
NVD Description
A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be…
more
used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.
Deeper analysisAI
CVE-2026-3147 is a heap-based buffer overflow vulnerability in libvips versions up to 8.18.0, specifically affecting the vips_foreign_load_csv_build function in the file libvips/foreign/csvload.c. This flaw arises from improper bounds checking during CSV file processing, leading to potential memory corruption when loading malformed CSV inputs.
The vulnerability requires local access (AV:L) with low privileges (PR:L) and low attack complexity (AC:L), needing no user interaction (UI:N). A local attacker could exploit it by providing a specially crafted CSV file to a libvips-based application, triggering the buffer overflow and achieving low-impact confidentiality, integrity, and availability effects (C:L/I:L/A:L), as scored at CVSS 5.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The exploit is publicly available and could be used in targeted scenarios.
Mitigation is available via the patch commit b3ab458a25e0e261cbd1788474bbc763f7435780 in the libvips repository. Security practitioners should update to a patched version of libvips beyond 8.18.0 and review applications using the CSV loader for exposure. Related GitHub issues (#4874) and pull request (#4894) provide further details on the fix.
An exploit for this vulnerability has been made public, increasing the risk for unpatched systems, though no widespread real-world exploitation has been reported in available data.
Details
- CWE(s)