CVE-2026-2913 identifies a heap-based buffer overflow vulnerability in the libvips image processing library, affecting all versions up to 8.19.0. The vulnerability resides in the function vips_source_read_to_memory within the source.c file. This function mishandles memory when reading from custom seekable sources larger than 4 GiB, leading to a buffer overflow on the heap. The overflow can cause a crash in the user code that integrates libvips, rather than in libvips itself, which limits the scope of the impact. The vulnerability requires local access to the host system, and the complexity to exploit it is high due to the need for specific conditions, such as large custom data sources and precise triggering of the overflow. No authentication or user interaction is necessary, but the exploitability is difficult. The vulnerability has been publicly disclosed, but no known exploits are currently active in the wild. The patch identified by commit a56feecbe9ed66521d9647ec9fbcd2546eccd7ee fixes the issue by correcting the memory handling in the affected function. The CVSS v4.0 score is 2.0, indicating low severity, primarily because the impact is limited to local crashes and does not lead to code execution or privilege escalation. This vulnerability mainly affects applications and systems that utilize libvips for image processing tasks involving large custom seekable sources, which are relatively uncommon scenarios.

The primary impact of CVE-2026-2913 is a potential denial of service through application crashes when processing large custom seekable sources exceeding 4 GiB in size. Since the crash occurs in user code rather than libvips itself, the risk of remote code execution or privilege escalation is negligible. However, for organizations relying on libvips in critical image processing workflows, especially those handling very large images or custom data sources, this vulnerability could lead to instability or service interruptions. The requirement for local access and the high complexity of exploitation reduce the likelihood of widespread attacks. Nonetheless, unpatched systems could experience unexpected application failures, potentially affecting availability and operational continuity in environments where libvips is embedded in local processing pipelines or desktop applications.

To mitigate CVE-2026-2913, organizations should apply the official patch identified by commit a56feecbe9ed66521d9647ec9fbcd2546eccd7ee as soon as possible. Beyond patching, it is advisable to audit the use of libvips in environments to identify any workflows that process custom seekable sources larger than 4 GiB and assess their exposure. Restrict local access to trusted users only, as exploitation requires local presence. Implement monitoring for application crashes related to image processing tasks to detect potential exploitation attempts or stability issues. Where feasible, limit the size of input sources to below 4 GiB or validate input sizes before processing to reduce risk. Additionally, maintain up-to-date software inventories and ensure that libvips dependencies are regularly updated to incorporate security fixes.