CVE-2026-2913 Overview
A heap-based buffer overflow vulnerability has been identified in libvips up to version 8.19.0. The vulnerability affects the vips_source_read_to_memory function located in libvips/iofuncs/source.c. This manipulation causes a heap-based buffer overflow when processing custom seekable sources larger than 4 GiB due to length truncation issues when converting a 64-bit length value to a 32-bit unsigned integer.
Critical Impact
While the vulnerability allows for potential memory corruption through heap-based buffer overflow, the impact is limited to local attack scenarios involving custom seekable sources exceeding 4 GiB in size, with the crash occurring in user code rather than within libvips itself.
Affected Products
- libvips versions up to 8.19.0
Discovery Timeline
- 2026-02-22 - CVE CVE-2026-2913 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2026-2913
Vulnerability Analysis
The vulnerability exists in the vips_source_read_to_memory function within libvips/iofuncs/source.c. When processing large source files, the function fails to properly validate the source length before truncating it from a 64-bit integer to a 32-bit unsigned integer. This numeric truncation occurs when the source->length value is cast to guint for the g_byte_array_set_size function call.
The exploit requires local access to the system and has high attack complexity, as it specifically targets custom seekable sources larger than 4 GiB. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), indicating memory boundary violations that can lead to heap corruption.
Root Cause
The root cause is a numeric truncation error in the vips_source_read_to_memory function. The original code directly cast source->length (a 64-bit value) to a guint (32-bit unsigned integer) without validating whether the length exceeds UINT_MAX. When processing sources larger than 4 GiB, this truncation causes incorrect buffer allocation sizes, leading to heap-based buffer overflow conditions.
Attack Vector
The attack vector is local, requiring an attacker to have access to the target system. The attacker must craft or provide a custom seekable source larger than 4 GiB to trigger the vulnerability. The attack complexity is rated as high due to the specific conditions required—the source must be seekable, exceed the 4 GiB threshold, and be processed through the affected function path.
// Security patch demonstrating the fix
// Source: https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee
g_assert(!source->header_bytes);
g_assert(source->length >= 0);
+ if (G_UNLIKELY(source->length > UINT_MAX)) {
+ vips_error(vips_connection_nick(VIPS_CONNECTION(source)),
+ "%s", _("length overflow"));
+ return -1;
+ }
+
if (vips_source_rewind(source))
return -1;
/* We know the length, so we can size the buffer correctly and read
* directly to it.
*/
byte_array = g_byte_array_new();
- g_byte_array_set_size(byte_array, source->length);
+ g_byte_array_set_size(byte_array, (guint) source->length);
read_position = 0;
q = byte_array->data;
Source: GitHub Commit Details
Detection Methods for CVE-2026-2913
Indicators of Compromise
- Unexpected application crashes when processing image sources larger than 4 GiB
- Memory corruption errors in applications using libvips with custom seekable sources
- Abnormal memory allocation patterns in processes utilizing the vips_source_read_to_memory function
Detection Strategies
- Monitor for crashes or segmentation faults in applications linked against libvips versions prior to the patched version
- Implement file size validation logging for sources being processed through libvips to identify potential exploitation attempts
- Use memory debugging tools (such as AddressSanitizer or Valgrind) to detect heap-based buffer overflow conditions in development and testing environments
Monitoring Recommendations
- Enable application crash reporting and analyze stack traces for crashes originating from libvips/iofuncs/source.c
- Audit applications using libvips for custom seekable source implementations that may process files larger than 4 GiB
- Implement runtime monitoring for memory allocation anomalies in systems processing untrusted image data
How to Mitigate CVE-2026-2913
Immediate Actions Required
- Identify all systems and applications utilizing libvips versions up to 8.19.0
- Review application code for usage of custom seekable sources that may exceed 4 GiB
- Apply the official security patch from the libvips repository immediately
- Consider implementing input validation to reject sources larger than 4 GiB as a temporary measure until patching is complete
Patch Information
The vulnerability has been addressed in commit a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. The fix adds a bounds check to verify that source->length does not exceed UINT_MAX before proceeding with memory allocation. If the length exceeds this limit, the function now returns an error with an appropriate "length overflow" message instead of silently truncating the value.
The patch can be obtained from the official libvips GitHub repository. Organizations should update to a version containing this fix as soon as possible.
Workarounds
- Implement application-level validation to reject or handle sources larger than 4 GiB before passing them to libvips
- Avoid using custom seekable sources with libvips until the patch is applied
- Consider using non-seekable source alternatives where feasible for large file processing
# Verify libvips version and check if patch is applied
vips --version
# Check if the patched commit is present in your installation
# Navigate to libvips source directory and run:
git log --oneline | grep a56feecbe9ed66521d9647ec9fbcd2546eccd7ee
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
