CVE-2026-3146
Null Pointer Dereference in libvips vips_foreign_load_matrix_header
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libvips | libvips | to 8.18.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3146 is a null pointer dereference vulnerability in the libvips image processing library, specifically in the function vips_foreign_load_matrix_header within the file libvips/foreign/matrixload.c.
The vulnerability occurs when this function processes an empty input file. The function vips_sbuf_get_line_copy returns a NULL pointer for empty input, which is then passed unchecked to parse_matrix_header. Inside parse_matrix_header, the code dereferences this NULL pointer by calling strchr on it, causing a segmentation fault and crashing the process.
This issue leads to an application crash due to a null pointer dereference instead of handling the empty input gracefully.
How can this vulnerability impact me? :
This vulnerability can cause the libvips application to crash or exit unexpectedly when processing certain inputs, specifically empty matrix files.
Since the vulnerability leads to a null pointer dereference and segmentation fault, it results in a denial of service condition affecting the availability of the application.
The attack requires local access to the system and is considered easy to exploit, but it does not allow remote exploitation or compromise confidentiality or integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the crash condition locally using the vulnerable libvips version. Specifically, running the command `vips matrixload` on an empty matrix file triggers the null pointer dereference and causes a segmentation fault.
Using AddressSanitizer (ASAN) when compiling libvips can help detect the null pointer dereference by reporting a SEGV caused by a read access at address zero.
- Compile libvips with ASAN enabled.
- Create an empty matrix file, e.g., `touch empty.mat`.
- Run the command: `vips matrixload empty.mat`.
If the process crashes with a segmentation fault, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official patch that fixes the null pointer dereference in the function `vips_foreign_load_matrix_header`.
The patch is identified by the commit `d4ce337c76bff1b278d7085c3c4f4725e3aa6ece` and is available in the libvips GitHub repository.
Until the patch is applied, avoid processing empty or malformed matrix files with the vulnerable libvips version to prevent crashes.
Ensure that only trusted users have local access to the system, as the attack requires local execution.