CVE-2026-3147
Published: 25 February 2026
Summary
CVE-2026-3147 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Libvips Libvips. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3147 is a heap-based buffer overflow vulnerability in libvips versions up to 8.18.0, specifically affecting the vips_foreign_load_csv_build function in the file libvips/foreign/csvload.c. This flaw arises from improper bounds checking during CSV file processing, leading to potential memory corruption when loading malformed CSV inputs.
The vulnerability requires local access (AV:L) with low privileges (PR:L) and low attack complexity (AC:L), needing no user interaction (UI:N). A local attacker could exploit it by providing a specially crafted CSV file to a libvips-based application, triggering the buffer overflow and achieving low-impact confidentiality, integrity, and availability effects (C:L/I:L/A:L), as scored at CVSS 5.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The exploit is publicly available and could be used in targeted scenarios.
Mitigation is available via the patch commit b3ab458a25e0e261cbd1788474bbc763f7435780 in the libvips repository. Security practitioners should update to a patched version of libvips beyond 8.18.0 and review applications using the CSV loader for exposure. Related GitHub issues (#4874) and pull request (#4894) provide further details on the fix.
An exploit for this vulnerability has been made public, increasing the risk for unpatched systems, though no widespread real-world exploitation has been reported in available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8610
Vulnerability details
A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be…
more
used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in local CSV processing enables local low-privileged attacker to corrupt memory and execute code via crafted file, directly facilitating privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the available patch (b3ab458a) to remediate the heap buffer overflow in libvips csvload.c before exploitation.
Mandates input validation on untrusted CSV data to enforce bounds checking and block the malformed input that triggers the overflow.
Requires memory protection mechanisms that can prevent unauthorized code execution or corruption resulting from the heap overflow.