Null Pointer Vulnerability in libvips Affects Local Operations
CVE-2026-3146

4.8MEDIUM

Key Information:

Vendor

libvips

Status
Libvips
Vendor
CVE Published:
25 February 2026

What is CVE-2026-3146?

A vulnerability has been identified in libvips, specifically within the vips_foreign_load_matrix_header function in the matrixload.c file. This issue can lead to a null pointer dereference, potentially allowing attackers to exploit the vulnerability locally. Users are advised to apply the available patch (commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece) to mitigate any security risks associated with this vulnerability.

Affected Version(s)

libvips 8.0

libvips 8.1

libvips 8.2

References

https://vuldb.com/?id.347652
vdb-entrytechnical-description
https://vuldb.com/?ctiid.347652
signaturepermissions-required
https://vuldb.com/?submit.758691
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Niebelungen (VulDB User)
.