CVE-2026-3145 Overview
A memory corruption vulnerability has been discovered in libvips, a fast image processing library. The flaw exists in the vips_foreign_load_matrix_file_is_a and vips_foreign_load_matrix_header functions within the file libvips/foreign/matrixload.c. An attacker with local access can exploit this vulnerability by manipulating matrix file inputs, potentially leading to memory corruption. The vulnerability affects libvips versions up to and including 8.18.0.
Critical Impact
Local attackers can exploit improper handling of empty and very large inputs in the matrix loading functionality to cause memory corruption, potentially affecting system stability and data integrity.
Affected Products
- libvips versions up to and including 8.18.0
- Applications and services that integrate libvips for image processing
- Systems using libvips matrix file loading functionality
Discovery Timeline
- 2026-02-25 - CVE-2026-3145 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-3145
Vulnerability Analysis
This vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The flaw resides in the matrix file loading component of libvips, specifically in how the library processes matrix file headers and validates input data. When processing maliciously crafted matrix files, the affected functions fail to properly guard against empty inputs and excessively large values, leading to memory corruption conditions.
The vulnerability requires local access to exploit, meaning an attacker would need to either have direct system access or convince a user to process a malicious matrix file through an application using libvips.
Root Cause
The root cause of this vulnerability is insufficient input validation in the matrix loading functions. The matrixload.c file did not properly validate input boundaries before processing matrix file data. Specifically, the code lacked guards against:
- Empty matrix inputs that could lead to undefined behavior
- Very large input values that could cause buffer operations to exceed allocated memory boundaries
The fix addresses these issues by implementing proper boundary checks before processing matrix file content.
Attack Vector
The attack requires local access to the target system. An attacker can craft a malicious matrix file containing either empty data or excessively large values. When this file is processed by an application using the vulnerable libvips library, the improper input handling leads to memory corruption. This could potentially be leveraged for further exploitation depending on the application context and system configuration.
The following patch was applied to address the vulnerability:
- fix loading/saving of non-8-bit JXL images [DarthSim]
- invertlut: check height before interpolating values [dloebl] [lovell]
- extract: check bounds using unsigned arithmetic [Niebelungen-D] [lovell]
+- matrixload: guard against empty and very large inputs [Niebelungen-D] [lovell]
17/12/25 8.18.0
Source: GitHub Commit d4ce337
The specific code change in matrixload.c includes improved error messaging:
for (i = 0, p = line; (q = vips_break_token(p, " \t")) && i < 4; i++, p = q)
if (vips_strtod(p, &header[i])) {
- vips_error("matload", _("bad number \"%s\""), p);
+ vips_error("matrixload", _("bad number \"%s\""), p);
return -1;
}
Source: GitHub Commit d4ce337
Detection Methods for CVE-2026-3145
Indicators of Compromise
- Unexpected application crashes when processing matrix files through libvips
- Memory-related errors or segmentation faults in processes using libvips
- Anomalous matrix file inputs with empty content or unusually large dimension values
- Application logs showing errors from the matrixload component
Detection Strategies
- Monitor application logs for error messages containing "matrixload" or "bad number" strings from libvips
- Implement file integrity monitoring on systems processing untrusted matrix files
- Use memory debugging tools (e.g., Valgrind, AddressSanitizer) during development to detect memory corruption
- Audit systems for libvips versions prior to the security patch d4ce337c76bff1b278d7085c3c4f4725e3aa6ece
Monitoring Recommendations
- Enable verbose logging for applications using libvips to capture processing errors
- Monitor for unusual patterns in matrix file processing, particularly files with zero dimensions or extremely large values
- Implement anomaly detection for memory usage spikes in processes utilizing libvips
- Track libvips library versions across your infrastructure for patch compliance
How to Mitigate CVE-2026-3145
Immediate Actions Required
- Identify all systems and applications using libvips versions up to 8.18.0
- Apply the security patch d4ce337c76bff1b278d7085c3c4f4725e3aa6ece or upgrade to a patched version
- Restrict access to matrix file processing functionality to trusted users only
- Review and audit matrix files from untrusted sources before processing
Patch Information
The vulnerability has been addressed in the official libvips repository. The fix is contained in commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. Organizations should update their libvips installations to include this patch. Additional details are available through the following resources:
Workarounds
- Implement input validation at the application level before passing matrix files to libvips
- Restrict local access to systems running vulnerable libvips versions
- Consider sandboxing applications that process untrusted matrix files
- Use file size and content validation to reject potentially malicious inputs before processing
# Check installed libvips version
vips --version
# Verify if the patch commit is present (if building from source)
cd /path/to/libvips
git log --oneline | grep d4ce337
# Rebuild libvips from patched source
git pull origin main
./autogen.sh
make
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
