DEBIAN-CVE-2026-6491

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-6491

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6491.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-6491

Upstream

CVE-2026-6491

Published

2026-04-17T14:16:35.187Z

Modified

2026-04-28T20:31:47.388137Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function imminposvec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor confirms that they will "be removing the deprecated area in libvips 8.19".

References

https://security-tracker.debian.org/tracker/CVE-2026-6491

Affected packages

Debian:11 / vips

Package

Name: vips
Purl: pkg:deb/debian/vips?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.10.5-2

8.10.5-2+deb11u1

8.11.4-1

8.11.4-2

8.12.1-1

8.12.2-1

8.13.0-1

8.13.1-1

8.13.2-1

8.13.3-1

8.13.3-2

8.14.1-1

8.14.1-2

8.14.1-3

8.14.2-1

8.14.3-1

8.14.4-1

8.14.5-1

8.15.0~rc2-1

8.15.0~rc2-2

8.15.0-1

8.15.0-2

8.15.1-1

8.15.1-1.1~exp1

8.15.1-1.1

8.15.2-1

8.15.2-2

8.15.3-1

8.16.0-1

8.16.0-2

8.16.1-1

8.16.1-2

8.17.3-1

8.17.3-2

8.18.0-1

8.18.0-2

8.18.0-3

8.18.1-1

8.18.2-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6491.json"

Debian:12 / vips

Package

Name: vips
Purl: pkg:deb/debian/vips?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.14.1-3

8.14.1-3+deb12u1

8.14.1-3+deb12u2

8.14.2-1

8.14.3-1

8.14.4-1

8.14.5-1

8.15.0~rc2-1

8.15.0~rc2-2

8.15.0-1

8.15.0-2

8.15.1-1

8.15.1-1.1~exp1

8.15.1-1.1

8.15.2-1

8.15.2-2

8.15.3-1

8.16.0-1

8.16.0-2

8.16.1-1

8.16.1-2

8.17.3-1

8.17.3-2

8.18.0-1

8.18.0-2

8.18.0-3

8.18.1-1

8.18.2-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6491.json"

Debian:13 / vips

Package

Name: vips
Purl: pkg:deb/debian/vips?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.16.1-1

8.16.1-2

8.17.3-1

8.17.3-2

8.18.0-1

8.18.0-2

8.18.0-3

8.18.1-1

8.18.2-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6491.json"

Debian:14 / vips

Package

Name: vips
Purl: pkg:deb/debian/vips?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.16.1-1

8.16.1-2

8.17.3-1

8.17.3-2

8.18.0-1

8.18.0-2

8.18.0-3

8.18.1-1

8.18.2-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6491.json"