CVE-2026-3282
Published: 27 February 2026
Summary
CVE-2026-3282 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Libvips Libvips. Its CVSS base score is 1.9 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-3282 is an out-of-bounds read vulnerability in libvips version 8.19.0, affecting the vips_unpremultiply_build function within the file libvips/conversion/unpremultiply.c. The flaw arises from manipulation of the alpha_band argument, leading to improper memory access. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read), with a CVSS v3.1 base score of 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
The vulnerability requires local access to exploit, with low attack complexity and low privileges (PR:L), and no user interaction. A local attacker can trigger the out-of-bounds read to obtain sensitive information (low confidentiality impact), though it does not affect integrity or availability. An exploit has been published and may be used.
Mitigation is available via the patch at commit 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91 in the libvips repository. Security practitioners should update to a patched version of libvips, with details discussed in GitHub issues #4881 and pull request #4886.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8989
Vulnerability details
A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alpha_band can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has…
more
been published and may be used. This patch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should be applied to remediate this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in local library enables direct extraction of sensitive data from process memory on the local system (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the published patch (commit 7215ead) to eliminate the out-of-bounds read in vips_unpremultiply_build.
Enforces memory-access protections that can block or contain the CWE-125 out-of-bounds read triggered by alpha_band manipulation.
Limits installation or execution of the vulnerable libvips 8.19.0 component to reduce the attack surface for local exploitation.