CVE-2026-6491

Sažetak

A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function im_minpos_vec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor confirms that they will "be removing the deprecated area in libvips 8.19".

Reference

https://github.com/biniamf/pocs/tree/main/libvips_im_minpos_vec_oob
https://github.com/libvips/libvips/
https://github.com/libvips/libvips/issues/4965
https://github.com/libvips/libvips/issues/4965#issuecomment-4135003499
https://vuldb.com/submit/786994
https://vuldb.com/vuln/358035
https://vuldb.com/vuln/358035/cti

CVSS

Base:	4.3
Impact:	6.4
Exploitability:	3.1

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:L/AC:L/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

17-04-2026 - 14:16

Objavljeno

17-04-2026 - 14:16