Home

Description

A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.

PUBLISHED Reserved 2026-02-26 | Published 2026-02-27 | Updated 2026-02-27 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
LOW: 3.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
1.7AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

Problem types

Out-of-Bounds Read

Memory Corruption

Timeline

2026-02-26:Advisory disclosed
2026-02-26:VulDB entry created
2026-02-26:VulDB entry last update

Credits

Niebelungen (VulDB User) reporter

References

vuldb.com/?id.348012 (VDB-348012 | libvips extract.c vips_extract_band_build out-of-bounds) vdb-entry technical-description

vuldb.com/?ctiid.348012 (VDB-348012 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.758863 (Submit #758863 | libvips 8.19.0(7fab325d2) Integer Overflow or Wraparound) third-party-advisory

github.com/libvips/libvips/issues/4880 issue-tracking

github.com/libvips/libvips/pull/4887 issue-tracking patch

github.com/libvips/libvips/issues/4880 exploit issue-tracking

github.com/...ommit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 patch

github.com/libvips/libvips/ product

cve.org (CVE-2026-3283)

nvd.nist.gov (CVE-2026-3283)

Download JSON