CVE-2026-3284
Received Received - Intake
Integer Overflow in libvips vips_extract_area_build Function

Publication date: 2026-02-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in libvips 8.19.0. Impacted is the function vips_extract_area_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_area results in integer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. It is advisable to implement a patch to correct this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3284
EUVD
EUVD-2026-8991
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libvips libvips 8.19.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-189
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in libvips version 8.19.0, specifically in the function vips_extract_area_build within the file libvips/conversion/extract.c. It is caused by the improper manipulation of the argument extract_area, which leads to an integer overflow.

An attacker with local access can exploit this flaw. The vulnerability has been publicly disclosed, and a patch has been made available to fix the issue.

Impact Analysis

The vulnerability can cause an integer overflow, which may lead to a denial of service or other unintended behavior affecting availability.

Since the attack requires local access, the impact is limited to users or processes with local privileges.

The CVSS scores indicate a low to moderate impact, primarily affecting availability without compromising confidentiality or integrity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability can be mitigated by applying the patch identified as 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 to the affected libvips version.

Since the attack requires local access, limiting local user privileges and access can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart