FKIE_CVE-2026-3283

Vulnerability from fkie_nvd - Published: 2026-02-27 03:16 - Updated: 2026-02-27 14:06
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.
References
cna@vuldb.comhttps://github.com/libvips/libvips/
cna@vuldb.comhttps://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70
cna@vuldb.comhttps://github.com/libvips/libvips/issues/4880
cna@vuldb.comhttps://github.com/libvips/libvips/issues/4880#issue-3944214985
cna@vuldb.comhttps://github.com/libvips/libvips/pull/4887
cna@vuldb.comhttps://vuldb.com/?ctiid.348012
cna@vuldb.comhttps://vuldb.com/?id.348012
cna@vuldb.comhttps://vuldb.com/?submit.758863
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad ha sido encontrada en libvips 8.19.0. Este problema afecta la funci\u00f3n vips_extract_band_build del archivo libvips/conversion/extract.c. La manipulaci\u00f3n del argumento extract_band lleva a lectura fuera de l\u00edmites. El ataque necesita ser realizado localmente. El exploit ha sido divulgado al p\u00fablico y puede ser usado. El identificador del parche es 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. Para solucionar este problema, se recomienda desplegar un parche."
    }
  ],
  "id": "CVE-2026-3283",
  "lastModified": "2026-02-27T14:06:37.987",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 1.7,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "cna@vuldb.com",
        "type": "Secondary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 1.4,
        "source": "cna@vuldb.com",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 1.9,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@vuldb.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-27T03:16:02.940",
  "references": [
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/libvips/libvips/"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/libvips/libvips/issues/4880"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/libvips/libvips/issues/4880#issue-3944214985"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/libvips/libvips/pull/4887"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?ctiid.348012"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?id.348012"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?submit.758863"
    }
  ],
  "sourceIdentifier": "cna@vuldb.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        },
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "cna@vuldb.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.