CVE-2026-6491 MEDIUM

CVE-2026-6491: libvips nip2 vips7compat.c im_minpos_vec heap-based overflow

Vendor N/A
Product libvips
Weakness CWE-122
Published April 17, 2026
Last update April 18, 2026

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function im_minpos_vec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor confirms that they will "be removing the deprecated area in libvips 8.19".

Key dates

02Disclosure timeline

April 17, 2026 CVE published
April 18, 2026 Record updated