{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3282", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-26T16:33:03.817Z", "datePublished": "2026-02-27T02:32:09.109Z", "dateUpdated": "2026-02-27T18:55:47.355Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-27T02:32:09.109Z"}, "title": "libvips unpremultiply.c vips_unpremultiply_build out-of-bounds", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "Out-of-Bounds Read"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "n/a", "product": "libvips", "versions": [{"version": "8.19.0", "status": "affected"}], "cpes": ["cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alpha_band can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-26T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-26T17:38:15.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Niebelungen (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.348011", "name": "VDB-348011 | libvips unpremultiply.c vips_unpremultiply_build out-of-bounds", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.348011", "name": "VDB-348011 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.758862", "name": "Submit #758862 | libvips 8.19.0(7fab325d2) Out-of-Bounds Read", "tags": ["third-party-advisory"]}, {"url": "https://github.com/libvips/libvips/issues/4881", "tags": ["issue-tracking"]}, {"url": "https://github.com/libvips/libvips/pull/4886", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/libvips/libvips/issues/4881#issue-3944216443", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91", "tags": ["patch"]}, {"url": "https://github.com/libvips/libvips/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T18:55:37.119042Z", "id": "CVE-2026-3282", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:55:47.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3282", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T18:55:37.119042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:55:42.672Z"}}], "cna": {"tags": ["x_open-source"], "title": "libvips unpremultiply.c vips_unpremultiply_build out-of-bounds", "credits": [{"lang": "en", "type": "reporter", "value": "Niebelungen (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"], "vendor": "n/a", "product": "libvips", "versions": [{"status": "affected", "version": "8.19.0"}]}], "timeline": [{"lang": "en", "time": "2026-02-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-26T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-26T17:38:15.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.348011", "name": "VDB-348011 | libvips unpremultiply.c vips_unpremultiply_build out-of-bounds", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.348011", "name": "VDB-348011 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.758862", "name": "Submit #758862 | libvips 8.19.0(7fab325d2) Out-of-Bounds Read", "tags": ["third-party-advisory"]}, {"url": "https://github.com/libvips/libvips/issues/4881", "tags": ["issue-tracking"]}, {"url": "https://github.com/libvips/libvips/pull/4886", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/libvips/libvips/issues/4881#issue-3944216443", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91", "tags": ["patch"]}, {"url": "https://github.com/libvips/libvips/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alpha_band can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should be applied to remediate this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "Out-of-Bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-27T02:32:09.109Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3282", "state": "PUBLISHED", "dateUpdated": "2026-02-27T18:55:47.355Z", "dateReserved": "2026-02-26T16:33:03.817Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-27T02:32:09.109Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libvips:libvips:8.19.0:*:*:*:*:*:*:*", "matchCriteriaId": "180A1691-C529-44F7-B4C3-92A1A9618594", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alpha_band can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should be applied to remediate this issue."}, {"lang": "es", "value": "Se ha encontrado una falla en libvips 8.19.0. Esta vulnerabilidad afecta a la funci\u00f3n vips_unpremultiply_build del archivo libvips/conversion/unpremultiply.c. La ejecuci\u00f3n de una manipulaci\u00f3n del argumento alpha_band puede llevar a una lectura fuera de l\u00edmites. El ataque debe ser lanzado localmente. El exploit ha sido publicado y puede ser usado. Este parche se llama 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. Se debe aplicar un parche para remediar este problema."}], "id": "CVE-2026-3282", "lastModified": "2026-03-02T17:58:30.950", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-27T03:16:02.713", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/libvips/libvips/"}, {"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/libvips/libvips/issues/4881"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/libvips/libvips/issues/4881#issue-3944216443"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/libvips/libvips/pull/4886"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.348011"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.348011"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.758862"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "8.19.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "libvips", "source": "cna", "vendor": "n/a"}, "product": "libvips", "vendor": "libvips"}], "analysis": {"en": {"generated_at": "2026-04-16T15:35:44.183338+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch identified by commit 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91 to libvips 8.19.0.", "Upgrade to a newer libvips release that incorporates the patch, such as 8.19.1 or later.", "If an immediate upgrade is not possible, limit local execution of the affected library by enforcing strict process isolation or disabling the conversion feature in applications that use libvips."], "summary": {"action": "Apply patch", "impact": "Potential local information disclosure via out\u2011of\u2011bounds read"}, "threat_synthesis": {"affected_systems": "The issue is found in libvips version 8.19.0, the distribution currently in use. No other versions are reported as affected, and earlier releases are not known to contain this specific bug.", "description_and_impact": "A flaw in libvips 8.19.0 allows manipulation of the alpha_band argument in the vips_unpremultiply_build function to cause an out\u2011of\u2011bounds read. The vulnerability is limited to local execution and could expose arbitrary memory contents to the attacker, creating a potential information disclosure. The weakness is a classic out\u2011of\u2011bounds read (CWE\u2011125) that can be triggered by crafted input to the conversion routine.", "risk_and_exploitability": "The CVSS score of 4.8 places the vulnerability in a low\u2011to\u2011medium severity range. The EPSS score indicates a exploitation probability of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires local execution and the attack surface is limited to processes with access to the vulnerable library, the overall risk to remote adversaries is low, but internal users or compromised local processes can leverage the flaw for data leakage."}}}}, "created": "2026-02-27T09:12:25.453403+00:00", "updated": "2026-04-16T15:45:16.072659+00:00", "vendors": ["libvips", "libvips$PRODUCT$libvips"]}