DEBIAN-CVE-2026-2913

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-2913

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2913.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-2913

Upstream

CVE-2026-2913

Published

2026-02-22T04:15:59.790Z

Modified

2026-02-26T08:01:14.843439Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vipssourcereadtomemory of the file libvips/iofuncs/source.c. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the recommended action to fix this issue. The confirmation of the bugfix mentions: "[T]he impact of this is negligible, since this only affects custom seekable sources larger than 4 GiB (and the crash occurs in user code rather than libvips itself)."

References

https://security-tracker.debian.org/tracker/CVE-2026-2913

Affected packages

Debian:11 / vips

Package

Name: vips
Purl: pkg:deb/debian/vips?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.10.5-2

8.10.5-2+deb11u1

8.11.4-1

8.11.4-2

8.12.1-1

8.12.2-1

8.13.0-1

8.13.1-1

8.13.2-1

8.13.3-1

8.13.3-2

8.14.1-1

8.14.1-2

8.14.1-3

8.14.2-1

8.14.3-1

8.14.4-1

8.14.5-1

8.15.0~rc2-1

8.15.0~rc2-2

8.15.0-1

8.15.0-2

8.15.1-1

8.15.1-1.1~exp1

8.15.1-1.1

8.15.2-1

8.15.2-2

8.15.3-1

8.16.0-1

8.16.0-2

8.16.1-1

8.16.1-2

8.17.3-1

8.17.3-2

8.18.0-1

8.18.0-2

8.18.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2913.json"

Debian:12 / vips

Package

Name: vips
Purl: pkg:deb/debian/vips?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.14.1-3

8.14.1-3+deb12u1

8.14.1-3+deb12u2

8.14.2-1

8.14.3-1

8.14.4-1

8.14.5-1

8.15.0~rc2-1

8.15.0~rc2-2

8.15.0-1

8.15.0-2

8.15.1-1

8.15.1-1.1~exp1

8.15.1-1.1

8.15.2-1

8.15.2-2

8.15.3-1

8.16.0-1

8.16.0-2

8.16.1-1

8.16.1-2

8.17.3-1

8.17.3-2

8.18.0-1

8.18.0-2

8.18.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2913.json"

Debian:13 / vips

Package

Name: vips
Purl: pkg:deb/debian/vips?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.16.1-1

8.16.1-2

8.17.3-1

8.17.3-2

8.18.0-1

8.18.0-2

8.18.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2913.json"

Debian:14 / vips

Package

Name: vips
Purl: pkg:deb/debian/vips?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.18.0-2

Affected versions

8.*

8.16.1-1

8.16.1-2

8.17.3-1

8.17.3-2

8.18.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2913.json"