CVE-2026-3146
Received Received - Intake
Null Pointer Dereference in libvips vips_foreign_load_matrix_header

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: VulDB

Description
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. To fix this issue, it is recommended to deploy a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3146
EUVD
EUVD-2026-8604
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libvips libvips to 8.18.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3146 is a null pointer dereference vulnerability in the libvips image processing library, specifically in the function vips_foreign_load_matrix_header within the file libvips/foreign/matrixload.c.

The vulnerability occurs when this function processes an empty input file. The function vips_sbuf_get_line_copy returns a NULL pointer for empty input, which is then passed unchecked to parse_matrix_header. Inside parse_matrix_header, the code dereferences this NULL pointer by calling strchr on it, causing a segmentation fault and crashing the process.

This issue leads to an application crash due to a null pointer dereference instead of handling the empty input gracefully.

Impact Analysis

This vulnerability can cause the libvips application to crash or exit unexpectedly when processing certain inputs, specifically empty matrix files.

Since the vulnerability leads to a null pointer dereference and segmentation fault, it results in a denial of service condition affecting the availability of the application.

The attack requires local access to the system and is considered easy to exploit, but it does not allow remote exploitation or compromise confidentiality or integrity.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash condition locally using the vulnerable libvips version. Specifically, running the command `vips matrixload` on an empty matrix file triggers the null pointer dereference and causes a segmentation fault.

Using AddressSanitizer (ASAN) when compiling libvips can help detect the null pointer dereference by reporting a SEGV caused by a read access at address zero.

  • Compile libvips with ASAN enabled.
  • Create an empty matrix file, e.g., `touch empty.mat`.
  • Run the command: `vips matrixload empty.mat`.

If the process crashes with a segmentation fault, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to apply the official patch that fixes the null pointer dereference in the function `vips_foreign_load_matrix_header`.

The patch is identified by the commit `d4ce337c76bff1b278d7085c3c4f4725e3aa6ece` and is available in the libvips GitHub repository.

Until the patch is applied, avoid processing empty or malformed matrix files with the vulnerable libvips version to prevent crashes.

Ensure that only trusted users have local access to the system, as the attack requires local execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart