Cyber Resilience

CVE-2026-3147

MediumPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3147 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Libvips Libvips. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3147 is a heap-based buffer overflow vulnerability in libvips versions up to 8.18.0, specifically affecting the vips_foreign_load_csv_build function in the file libvips/foreign/csvload.c. This flaw arises from improper bounds checking during CSV file processing, leading to potential memory corruption when loading malformed CSV inputs.

The vulnerability requires local access (AV:L) with low privileges (PR:L) and low attack complexity (AC:L), needing no user interaction (UI:N). A local attacker could exploit it by providing a specially crafted CSV file to a libvips-based application, triggering the buffer overflow and achieving low-impact confidentiality, integrity, and availability effects (C:L/I:L/A:L), as scored at CVSS 5.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The exploit is publicly available and could be used in targeted scenarios.

Mitigation is available via the patch commit b3ab458a25e0e261cbd1788474bbc763f7435780 in the libvips repository. Security practitioners should update to a patched version of libvips beyond 8.18.0 and review applications using the CSV loader for exposure. Related GitHub issues (#4874) and pull request (#4894) provide further details on the fix.

An exploit for this vulnerability has been made public, increasing the risk for unpatched systems, though no widespread real-world exploitation has been reported in available data.

EU & UK References

Vulnerability details

A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be…

more

used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Heap-based buffer overflow in local CSV processing enables local low-privileged attacker to corrupt memory and execute code via crafted file, directly facilitating privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3281Same product: Libvips Libvips
CVE-2026-3145Same product: Libvips Libvips
CVE-2026-3283Same product: Libvips Libvips
CVE-2026-3282Same product: Libvips Libvips
CVE-2025-1788Shared CWE-119, CWE-122
CVE-2024-45421Shared CWE-119, CWE-122
CVE-2025-7208Shared CWE-119, CWE-122
CVE-2026-26180Shared CWE-122
CVE-2026-20922Shared CWE-122
CVE-2024-47796Shared CWE-119

Affected Assets

libvips
libvips
≤ 8.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the available patch (b3ab458a) to remediate the heap buffer overflow in libvips csvload.c before exploitation.

prevent

Mandates input validation on untrusted CSV data to enforce bounds checking and block the malformed input that triggers the overflow.

prevent

Requires memory protection mechanisms that can prevent unauthorized code execution or corruption resulting from the heap overflow.

References