Login Sign Up

CVE-2026-3146

3.3 LOW
Denial of Service

📋 TL;DR

This CVE describes a null pointer dereference vulnerability in libvips image processing library. Attackers with local access can cause denial of service by triggering a crash in the vips_foreign_load_matrix_header function. Users of applications that incorporate libvips up to version 8.18.0 are affected.

💻 Affected Systems

Products:
  • libvips
Versions: Up to and including 8.18.0
Operating Systems: All platforms running libvips
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using libvips for image processing is vulnerable when handling matrix files

📦 What is this software?

Libvips by Libvips

View all CVEs affecting Libvips →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local denial of service causing application crash and potential data loss if unsaved work exists

🟠

Likely Case

Application crash when processing malicious matrix files, requiring restart

🟢

If Mitigated

Minimal impact with proper access controls limiting local user privileges

🌐 Internet-Facing: LOW - Attack requires local access, cannot be exploited remotely
🏢 Internal Only: MEDIUM - Local attackers could disrupt services using libvips, but requires existing access

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access and ability to trigger the vulnerable function with crafted input

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece

Vendor Advisory: https://github.com/libvips/libvips/issues/4875

Restart Required: Yes

Instructions:

1. Update libvips to version 8.18.1 or later
2. Rebuild applications using libvips if statically linked
3. Restart affected services

🔧 Temporary Workarounds

Restrict local user access

all

Limit local user privileges to reduce attack surface

Disable matrix file processing

all

Configure applications to avoid using vips_foreign_load_matrix_header function

🧯 If You Can't Patch

  • Implement strict access controls to limit local user privileges
  • Monitor for application crashes and investigate any suspicious local user activity

🔍 How to Verify

Check if Vulnerable:

Check libvips version with 'vips --version' or 'ldconfig -p | grep libvips'

Check Version:

vips --version 2>/dev/null || pkg-config --modversion vips-api 2>/dev/null || echo "libvips not found"

Verify Fix Applied:

Verify version is 8.18.1 or later, or check if commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece is present in source

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults in libvips
  • Error logs mentioning vips_foreign_load_matrix_header

Network Indicators:

  • None - local exploitation only

SIEM Query:

process.name:"vips" AND event.action:"segmentation fault" OR process.name:"vips" AND exit_code:"139"

📊 Metadata

CVE ID: CVE-2026-3146
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
Published: February 25, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3146, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)