MGASA-2026-0237

Source
https://advisories.mageia.org/MGASA-2026-0237.html
Import Source
https://advisories.mageia.org/MGASA-2026-0237.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2026-0237
Upstream
Published
2026-07-08T16:36:03Z
Modified
2026-07-08T16:45:04.937786660Z
Summary
Updated vips packages fix security vulnerabilities
Details

This update fixes several security issues: A flaw has been found in libvips up to 8.18.0. The affected element is the function vipsforeignloadmatrixfileisa/vipsforeignloadmatrixheader of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack needs to be launched locally. (CVE-2026-3145) A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vipsforeignloadmatrixheader of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. (CVE-2026-3146) A vulnerability was found in libvips up to 8.18.0. This affects the function vipsforeignloadcsvbuild of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. (CVE-2026-3147) A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function imminposvec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. (CVE-2026-6491)

References
Credits

Affected packages

Mageia:10 / vips

Package

Name
vips
Purl
pkg:rpm/mageia/vips?arch=source&distro=mageia-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.18.3-1.mga10

Ecosystem specific

{
    "section": "core"
}

Database specific

source
"https://advisories.mageia.org/MGASA-2026-0237.json"