CVE-2026-6491

NameCVE-2026-6491
DescriptionA security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function im_minpos_vec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor confirms that they will "be removing the deprecated area in libvips 8.19".
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vips (PTS)bullseye8.10.5-2vulnerable
bullseye (security)8.10.5-2+deb11u1vulnerable
bookworm, bookworm (security)8.14.1-3+deb12u2vulnerable
trixie8.16.1-1vulnerable
forky, sid8.18.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vipssource(unstable)(unfixed)unimportant

Notes

https://github.com/libvips/libvips/issues/4965
Not considered a security vulnerability by vips upstream
Search for package or bug name: Reporting problems