CVE-2026-3147
Heap-Based Buffer Overflow in libvips CSV Loader (Local Attack
Publication date: 2026-02-25
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libvips | libvips | to 8.18.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3147 is a heap-based buffer overflow vulnerability in the libvips image processing library, specifically in the function vips_foreign_load_csv_build within the csvload.c file.
The issue arises because the function improperly handles the --whitespace and --separator command-line options, which accept byte values used as indexes into fixed-size 256-byte arrays. On platforms where the char data type is signed, non-ASCII UTF-8 bytes can be interpreted as negative integers. These negative values are then used as array indexes, causing out-of-bounds writes before the start of the arrays, leading to memory corruption.
This vulnerability can be triggered locally by providing non-ASCII characters (such as emojis) to the whitespace or separator options during CSV file processing, resulting in heap-buffer-overflow errors detected by tools like AddressSanitizer.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption due to heap-based buffer overflow, which may cause application crashes or unpredictable behavior in the libvips library when processing CSV files with specially crafted inputs.
Since the exploit requires local access, an attacker with local privileges could exploit this flaw to compromise the stability or integrity of the system running libvips.
The vulnerability could potentially be used to execute arbitrary code or escalate privileges, depending on the context and environment, although the CVSS scores indicate a moderate severity level.
Applying the patch that validates the whitespace and separator characters as strictly ASCII prevents this issue and mitigates the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the heap-based buffer overflow using the vulnerable libvips csvload functionality with non-ASCII whitespace or separator characters.'}, {'type': 'paragraph', 'content': 'A practical detection method is to run the `vips csvload` command with the `--whitespace` option set to a non-ASCII UTF-8 character such as an emoji (e.g., π). This triggers the out-of-bounds access and can be detected by tools like AddressSanitizer (ASAN), which reports a heap-buffer-overflow error.'}, {'type': 'list_item', 'content': 'Build libvips with AddressSanitizer enabled for debugging.'}, {'type': 'list_item', 'content': "Run a command similar to: `vips csvload --whitespace='π' <csv-file>` to trigger the vulnerability."}, {'type': 'paragraph', 'content': 'If ASAN is enabled, it will detect and report the heap-buffer-overflow caused by negative indexing in the CSV loader.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to apply the official patch that fixes the vulnerability by validating that the whitespace and separator characters used in CSV parsing are strictly ASCII.
This patch prevents non-ASCII characters from being used, which stops the negative indexing and heap overflow.
- Update libvips to a version that includes the patch identified by commit b3ab458a25e0e261cbd1788474bbc763f7435780.
- If updating immediately is not possible, avoid using non-ASCII characters in the `--whitespace` and `--separator` options when running `vips csvload`.
Applying the patch or upgrading to a fixed version is the most effective way to mitigate the risk of exploitation.