CVE-2026-3146
Received Received - Intake

Null Pointer Dereference in libvips vips_foreign_load_matrix_header

Vulnerability report for CVE-2026-3146, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: VulDB

Description

A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. To fix this issue, it is recommended to deploy a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-07-06
AI Q&A
2026-02-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libvips libvips to 8.18.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-3146 is a null pointer dereference vulnerability in the libvips image processing library, specifically in the function vips_foreign_load_matrix_header within the file libvips/foreign/matrixload.c.

The vulnerability occurs when this function processes an empty input file. The function vips_sbuf_get_line_copy returns a NULL pointer for empty input, which is then passed unchecked to parse_matrix_header. Inside parse_matrix_header, the code dereferences this NULL pointer by calling strchr on it, causing a segmentation fault and crashing the process.

This issue leads to an application crash due to a null pointer dereference instead of handling the empty input gracefully.

Impact Analysis

This vulnerability can cause the libvips application to crash or exit unexpectedly when processing certain inputs, specifically empty matrix files.

Since the vulnerability leads to a null pointer dereference and segmentation fault, it results in a denial of service condition affecting the availability of the application.

The attack requires local access to the system and is considered easy to exploit, but it does not allow remote exploitation or compromise confidentiality or integrity.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash condition locally using the vulnerable libvips version. Specifically, running the command `vips matrixload` on an empty matrix file triggers the null pointer dereference and causes a segmentation fault.

Using AddressSanitizer (ASAN) when compiling libvips can help detect the null pointer dereference by reporting a SEGV caused by a read access at address zero.

  • Compile libvips with ASAN enabled.
  • Create an empty matrix file, e.g., `touch empty.mat`.
  • Run the command: `vips matrixload empty.mat`.

If the process crashes with a segmentation fault, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to apply the official patch that fixes the null pointer dereference in the function `vips_foreign_load_matrix_header`.

The patch is identified by the commit `d4ce337c76bff1b278d7085c3c4f4725e3aa6ece` and is available in the libvips GitHub repository.

Until the patch is applied, avoid processing empty or malformed matrix files with the vulnerable libvips version to prevent crashes.

Ensure that only trusted users have local access to the system, as the attack requires local execution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart