How to fix CVE-2025-29769?

Within 7 days: Identify all affected systems and apply vendor patches promptly. If patching is delayed, consider network segmentation to limit exposure.

Is Heap Overflow affected by CVE-2025-29769?

Organizations using libvips face significant risk from CVE-2025-29769, a heap-based buffer overflow vulnerability rated CVSS 8.5. Exploitation could allow attackers to corrupt memory, crash the application, or potentially execute arbitrary code.

CVE-2025-29769

HIGH

2025-04-07 [email protected]

8.5

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:35 vuln.today

Patch Released

Mar 28, 2026 - 18:35 nvd

Patch available

PoC Detected

Oct 09, 2025 - 13:41 vuln.today

Public exploit code

CVE Published

Apr 07, 2025 - 20:15 nvd

HIGH 8.5

Description

libvips is a demand-driven, horizontally threaded image processing library. The heifsave operation could incorrectly determine the presence of an alpha channel in an input when it was not possible to determine the colour interpretation, known internally within libvips as "multiband". There aren't many ways to create a "multiband" input, but it is possible with a well-crafted TIFF image. If a "multiband" TIFF input image had 4 channels and HEIF-based output was requested, this led to libvips creating a 3 channel HEIF image without an alpha channel but then attempting to write 4 channels of data. This caused a heap buffer overflow, which could crash the process. This vulnerability is fixed in 8.16.1.

Analysis

libvips is a demand-driven, horizontally threaded image processing library. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available.

Technical Context

This vulnerability is classified under CWE-122. libvips is a demand-driven, horizontally threaded image processing library. The heifsave operation could incorrectly determine the presence of an alpha channel in an input when it was not possible to determine the colour interpretation, known internally within libvips as "multiband". There aren't many ways to create a "multiband" input, but it is possible with a well-crafted TIFF image. If a "multiband" TIFF input image had 4 channels and HEIF-based output was requested, this led to libvips creating a 3 channel HEIF image without an alpha channel but then attempting to write 4 channels of data. This caused a heap buffer overflow, which could crash the process. This vulnerability is fixed in 8.16.1. Affected products include: Libvips, Debian Debian Linux.

Affected Products

Libvips, Debian Debian Linux.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +42

POC: +20

CVE-2025-29769 vulnerability details – vuln.today

Back

CVE-2025-29769

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-29769

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code