Donate Telegram

CVE-2026-3284

MEDIUM CVSS 4.0: 4.8 EPSS 0.01%

Feb 27, 2026

Updated Feb 27, 2026

libvips

Parameter	Value
CVSS	4.8 (MEDIUM)
Type	CWE-190 (Integer Overflow), CWE-189
Vendor	libvips
Public PoC	No

A vulnerability was found in libvips 8.19.0. Impacted is the function vips_extract_area_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_area results in integer overflow.

The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70.

It is advisable to implement a patch to correct this issue.

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

None

No data modification

Availability

Low

Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-190 Integer Overflow

References 8

https://github.com/libvips/libvips/

https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2f…

https://github.com/libvips/libvips/issues/4879

https://github.com/libvips/libvips/issues/4879#issue-3944211794

https://github.com/libvips/libvips/pull/4887

https://vuldb.com/?ctiid.348013

https://vuldb.com/?id.348013

https://vuldb.com/?submit.758864

Share Post Share Share Share

CVE Details

CVE ID

CVE-2026-3284

Published Date

Feb 27, 2026

Vendor

libvips

Severity

MEDIUM

CVSS v4.0 Score

4.8

Medium severity. Plan remediation.

Exploit Prediction (EPSS)

Probability of Exploit 0.01%

Likelihood of exploitation in next 30 days

Percentile: 1.6th percentile (higher than 1.6% of all CVEs)

Standard patching cycle

Impact

Partial service disruption

Source

Editor's Choice