Updated vips packages fix security vulnerabilities
Publication date: 08 Jul 2026Modification date: 08 Jul 2026
Type: security
Affected Mageia releases : 10
CVE: CVE-2026-3145 , CVE-2026-3146 , CVE-2026-3147 , CVE-2026-6491
Description
This update fixes several security issues:
A flaw has been found in libvips up to 8.18.0. The affected element is
the function
vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of
the file libvips/foreign/matrixload.c. Executing a manipulation can lead
to memory corruption. The attack needs to be launched locally.
(CVE-2026-3145)
A vulnerability has been found in libvips up to 8.18.0. The impacted
element is the function vips_foreign_load_matrix_header of the file
libvips/foreign/matrixload.c. The manipulation leads to null pointer
dereference. The attack needs to be performed locally. (CVE-2026-3146)
A vulnerability was found in libvips up to 8.18.0. This affects the
function vips_foreign_load_csv_build of the file
libvips/foreign/csvload.c. The manipulation results in heap-based buffer
overflow. The attack requires a local approach. The exploit has been
made public and could be used. (CVE-2026-3147)
A security vulnerability has been detected in libvips up to 8.18.2. The
affected element is the function im_minpos_vec of the file
libvips/deprecated/vips7compat.c of the component nip2 Handler. Such
manipulation of the argument n leads to heap-based buffer overflow. An
attack has to be approached locally. The exploit has been disclosed
publicly and may be used. (CVE-2026-6491)
References
- https://bugs.mageia.org/show_bug.cgi?id=35747
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUA7WKE4WATNPXAAALXHMSPAD2GJ2CHS/
- https://www.cve.org/CVERecord?id=CVE-2026-3145
- https://www.cve.org/CVERecord?id=CVE-2026-3146
- https://www.cve.org/CVERecord?id=CVE-2026-3147
- https://www.cve.org/CVERecord?id=CVE-2026-6491
SRPMS
10/core
- vips-8.18.3-1.mga10