CVE-2026-3147
Received Received - Intake
Heap-Based Buffer Overflow in libvips CSV Loader (Local Attack

Publication date: 2026-02-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3147
EUVD
EUVD-2026-8610
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libvips libvips to 8.18.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3147 is a heap-based buffer overflow vulnerability in the libvips image processing library, specifically in the function vips_foreign_load_csv_build within the csvload.c file.

The issue arises because the function improperly handles the --whitespace and --separator command-line options, which accept byte values used as indexes into fixed-size 256-byte arrays. On platforms where the char data type is signed, non-ASCII UTF-8 bytes can be interpreted as negative integers. These negative values are then used as array indexes, causing out-of-bounds writes before the start of the arrays, leading to memory corruption.

This vulnerability can be triggered locally by providing non-ASCII characters (such as emojis) to the whitespace or separator options during CSV file processing, resulting in heap-buffer-overflow errors detected by tools like AddressSanitizer.

Impact Analysis

This vulnerability can lead to memory corruption due to heap-based buffer overflow, which may cause application crashes or unpredictable behavior in the libvips library when processing CSV files with specially crafted inputs.

Since the exploit requires local access, an attacker with local privileges could exploit this flaw to compromise the stability or integrity of the system running libvips.

The vulnerability could potentially be used to execute arbitrary code or escalate privileges, depending on the context and environment, although the CVSS scores indicate a moderate severity level.

Applying the patch that validates the whitespace and separator characters as strictly ASCII prevents this issue and mitigates the risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the heap-based buffer overflow using the vulnerable libvips csvload functionality with non-ASCII whitespace or separator characters.'}, {'type': 'paragraph', 'content': 'A practical detection method is to run the `vips csvload` command with the `--whitespace` option set to a non-ASCII UTF-8 character such as an emoji (e.g., πŸ˜€). This triggers the out-of-bounds access and can be detected by tools like AddressSanitizer (ASAN), which reports a heap-buffer-overflow error.'}, {'type': 'list_item', 'content': 'Build libvips with AddressSanitizer enabled for debugging.'}, {'type': 'list_item', 'content': "Run a command similar to: `vips csvload --whitespace='πŸ˜€' <csv-file>` to trigger the vulnerability."}, {'type': 'paragraph', 'content': 'If ASAN is enabled, it will detect and report the heap-buffer-overflow caused by negative indexing in the CSV loader.'}] [2, 3]

Mitigation Strategies

The immediate and recommended mitigation is to apply the official patch that fixes the vulnerability by validating that the whitespace and separator characters used in CSV parsing are strictly ASCII.

This patch prevents non-ASCII characters from being used, which stops the negative indexing and heap overflow.

  • Update libvips to a version that includes the patch identified by commit b3ab458a25e0e261cbd1788474bbc763f7435780.
  • If updating immediately is not possible, avoid using non-ASCII characters in the `--whitespace` and `--separator` options when running `vips csvload`.

Applying the patch or upgrading to a fixed version is the most effective way to mitigate the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart