Cyber Resilience

CVE-2026-3282

LowPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 1.3th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3282 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Libvips Libvips. Its CVSS base score is 1.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3282 is an out-of-bounds read vulnerability in libvips version 8.19.0, affecting the vips_unpremultiply_build function within the file libvips/conversion/unpremultiply.c. The flaw arises from manipulation of the alpha_band argument, leading to improper memory access. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read), with a CVSS v3.1 base score of 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

The vulnerability requires local access to exploit, with low attack complexity and low privileges (PR:L), and no user interaction. A local attacker can trigger the out-of-bounds read to obtain sensitive information (low confidentiality impact), though it does not affect integrity or availability. An exploit has been published and may be used.

Mitigation is available via the patch at commit 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91 in the libvips repository. Security practitioners should update to a patched version of libvips, with details discussed in GitHub issues #4881 and pull request #4886.

EU & UK References

Vulnerability details

A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alpha_band can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has…

more

been published and may be used. This patch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should be applied to remediate this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Out-of-bounds read in local library enables direct extraction of sensitive data from process memory on the local system (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3283Same product: Libvips Libvips
CVE-2026-3145Same product: Libvips Libvips
CVE-2026-3281Same product: Libvips Libvips
CVE-2026-3147Same product: Libvips Libvips
CVE-2025-15412Shared CWE-119, CWE-125
CVE-2025-20922Shared CWE-125
CVE-2024-53834Shared CWE-125
CVE-2025-20919Shared CWE-125
CVE-2026-24915Shared CWE-125
CVE-2025-20916Shared CWE-125

Affected Assets

libvips
libvips
8.19.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the published patch (commit 7215ead) to eliminate the out-of-bounds read in vips_unpremultiply_build.

prevent

Enforces memory-access protections that can block or contain the CWE-125 out-of-bounds read triggered by alpha_band manipulation.

prevent

Limits installation or execution of the vulnerable libvips 8.19.0 component to reduce the attack surface for local exploitation.

References