Skip to main content

Libvips EUVD-2026-23432

| CVE-2026-6491 LOW
Heap-based Buffer Overflow (CWE-122)
2026-04-17 VulDB
Heap Overflow Buffer Overflow Libvips
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
4.8 (MEDIUM) 1.9 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 17, 2026 - 14:28 vuln.today
CVSS changed
Apr 17, 2026 - 14:22 NVD
5.3 (MEDIUM) 4.8 (MEDIUM)
EUVD ID Assigned
Apr 17, 2026 - 14:15 euvd
EUVD-2026-23432
Analysis Generated
Apr 17, 2026 - 14:15 vuln.today
CVE Published
Apr 17, 2026 - 13:45 nvd
LOW 1.9

DescriptionCVE.org

A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function im_minpos_vec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor confirms that they will "be removing the deprecated area in libvips 8.19".

AnalysisAI

Heap-based buffer overflow in libvips up to version 8.18.2 via the deprecated im_minpos_vec function in libvips/deprecated/vips7compat.c allows authenticated local attackers to trigger memory corruption through manipulation of the argument n, with publicly available exploit code confirmed and vendor commitment to remove the deprecated code in libvips 8.19.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local system access as authenticated user
Delivery
Invoke application or library using libvips
Exploit
Craft malicious n argument to im_minpos_vec
Execution
Trigger heap buffer overflow
Persist
Corrupt adjacent memory structures
Impact
Potential code execution or information disclosure
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) Application or library must explicitly invoke the im_minpos_vec function from libvips/deprecated/vips7compat.c (not required for applications using only vips8 API); (2) Attacker must be an authenticated local user with execution privileges on the system (PR:L in CVSS vector); (3) The vulnerable libvips version must be 8.18.2 or earlier; (4) The n argument passed to im_minpos_vec must be user-controllable or derived from untrusted input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.8 with AV:L/AC:L/PR:L indicates a locally exploitable vulnerability requiring authenticated access, with low attack complexity but limited scope of impact (VC:L, VI:L, VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local authenticated user with shell access to a system running an older application that uses libvips (version 8.18.2 or earlier) crafts a request to the application that triggers image processing via the deprecated im_minpos_vec function with a maliciously large value for the n argument. The crafted input causes the function to write beyond heap buffer boundaries, corrupting adjacent memory structures and potentially allowing the attacker to achieve information disclosure or, in carefully constructed scenarios, code execution within the application's process context.
Remediation Upgrade libvips to version 8.19 or later, which will remove the deprecated vips7compat.c module entirely and eliminate the vulnerable function. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-23432 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy