libvips
Moderate fix1 remedy
cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*, +1 more
Moderate fix1 remedy
- <= 8.18.0
libvips Heap-Based Buffer Overflow Vulnerability in CSV Loading Function
Vulnerability
A heap-based buffer overflow vulnerability has been identified in libvips versions through 8.18.0. The issue arises in the CSV loading function, vips_foreign_load_csv_build, within the file libvips/foreign/csvload.c. The vulnerability is triggered by using non-ASCII characters in the whitespace and separator options, which can corrupt adjacent memory. This vulnerability requires local access to exploit.
Impact
Exploitation of this vulnerability leads to a heap-based buffer overflow, allowing for potential memory corruption.
Reproduction
The vulnerability can be reproduced by building libvips with AddressSanitizer enabled, preparing a CSV file, and then using the 'vips csvload' command with a non-ASCII whitespace option, such as an emoji. The AddressSanitizer will report the heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.
Remediation
Users are advised to update to libvips version 8.19.0 or later, where this vulnerability has been patched.
Added: Feb 25, 2026, 4:19 AM
Updated: Feb 25, 2026, 4:19 AM
Vulnerability Rating
Custom Algorithm
spread
6.6impact
10.0exploitability
3.6remediation
7.7relevance
3.4threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.