UBUNTU-CVE-2026-2913

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-2913

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2913.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-2913

Upstream

CVE-2026-2913

Published

2026-02-22T04:15:00Z

Modified

2026-02-28T06:13:29.635096Z

Severity

2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
1.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vipssourcereadtomemory of the file libvips/iofuncs/source.c. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the recommended action to fix this issue. The confirmation of the bugfix mentions: "[T]he impact of this is negligible, since this only affects custom seekable sources larger than 4 GiB (and the crash occurs in user code rather than libvips itself)."

References

Affected packages

Ubuntu:20.04:LTS

vips

Package

Name: vips
Purl: pkg:deb/ubuntu/vips@8.9.1-2?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.7.4-1build1

8.8.3-3

8.8.3-3ubuntu1

8.9.0-1

8.9.0-1build1

8.9.1-1

8.9.1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.9.1-2",
            "binary_name": "gir1.2-vips-8.0"
        },
        {
            "binary_version": "8.9.1-2",
            "binary_name": "libvips-dev"
        },
        {
            "binary_version": "8.9.1-2",
            "binary_name": "libvips-tools"
        },
        {
            "binary_version": "8.9.1-2",
            "binary_name": "libvips42"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2913.json"

Ubuntu:24.04:LTS

vips

Package

Name: vips
Purl: pkg:deb/ubuntu/vips@8.15.1-1.1build4?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.14.3-1

8.14.5-1

8.15.0-1

8.15.0-2

8.15.1-1

8.15.1-1build1

8.15.1-1.1build3

8.15.1-1.1build4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.15.1-1.1build4",
            "binary_name": "gir1.2-vips-8.0"
        },
        {
            "binary_version": "8.15.1-1.1build4",
            "binary_name": "libvips-dev"
        },
        {
            "binary_version": "8.15.1-1.1build4",
            "binary_name": "libvips-tools"
        },
        {
            "binary_version": "8.15.1-1.1build4",
            "binary_name": "libvips42t64"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2913.json"

Ubuntu:25.10

vips

Package

Name: vips
Purl: pkg:deb/ubuntu/vips@8.16.1-1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.16.0-2build1

8.16.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.16.1-1",
            "binary_name": "gir1.2-vips-8.0"
        },
        {
            "binary_version": "8.16.1-1",
            "binary_name": "libvips-dev"
        },
        {
            "binary_version": "8.16.1-1",
            "binary_name": "libvips-tools"
        },
        {
            "binary_version": "8.16.1-1",
            "binary_name": "libvips42t64"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2913.json"

Ubuntu:Pro:16.04:LTS

vips

Package

Name: vips
Purl: pkg:deb/ubuntu/vips@8.2.2-1ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.40.6-2ubuntu2

8.*

8.0.2-2

8.2.1-1

8.2.2-1

8.2.2-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.2.2-1ubuntu0.1~esm1",
            "binary_name": "gir1.2-vips-8.0"
        },
        {
            "binary_version": "8.2.2-1ubuntu0.1~esm1",
            "binary_name": "libvips-dev"
        },
        {
            "binary_version": "8.2.2-1ubuntu0.1~esm1",
            "binary_name": "libvips-tools"
        },
        {
            "binary_version": "8.2.2-1ubuntu0.1~esm1",
            "binary_name": "libvips42"
        },
        {
            "binary_version": "8.2.2-1ubuntu0.1~esm1",
            "binary_name": "python-vipscc"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2913.json"

Ubuntu:Pro:18.04:LTS

vips

Package

Name: vips
Purl: pkg:deb/ubuntu/vips@8.4.5-1ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.4.5-1build1

8.4.5-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.4.5-1ubuntu0.1~esm1",
            "binary_name": "gir1.2-vips-8.0"
        },
        {
            "binary_version": "8.4.5-1ubuntu0.1~esm1",
            "binary_name": "libvips-dev"
        },
        {
            "binary_version": "8.4.5-1ubuntu0.1~esm1",
            "binary_name": "libvips-tools"
        },
        {
            "binary_version": "8.4.5-1ubuntu0.1~esm1",
            "binary_name": "libvips42"
        },
        {
            "binary_version": "8.4.5-1ubuntu0.1~esm1",
            "binary_name": "python-vipscc"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2913.json"

Ubuntu:Pro:22.04:LTS

vips

Package

Name: vips
Purl: pkg:deb/ubuntu/vips@8.12.1-1ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.10.5-2ubuntu1

8.11.4-2

8.12.1-1

8.12.1-1build1

8.12.1-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.12.1-1ubuntu0.1~esm1",
            "binary_name": "gir1.2-vips-8.0"
        },
        {
            "binary_version": "8.12.1-1ubuntu0.1~esm1",
            "binary_name": "libvips-dev"
        },
        {
            "binary_version": "8.12.1-1ubuntu0.1~esm1",
            "binary_name": "libvips-tools"
        },
        {
            "binary_version": "8.12.1-1ubuntu0.1~esm1",
            "binary_name": "libvips42"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2913.json"