The vulnerability CVE-2026-3145 affects libvips, an open-source image processing library widely used for efficient image transformations. The flaw resides in the matrix loading functionality, specifically in the functions vips_foreign_load_matrix_file_is_a and vips_foreign_load_matrix_header implemented in the source file libvips/foreign/matrixload.c. Improper handling of input data during matrix file loading can lead to memory corruption, which may cause application crashes or potentially allow an attacker to execute arbitrary code or manipulate application behavior. Exploitation requires local access with limited privileges and does not require user interaction. The vulnerability affects all libvips versions from 8.0 through 8.18.0. The patch identified by commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece addresses this issue by correcting the input validation and memory handling logic. The CVSS v4.0 base score is 4.8, reflecting medium severity due to the local attack vector and limited scope of impact. No known exploits have been reported in the wild, but the vulnerability poses a risk to any software or systems that incorporate vulnerable libvips versions, especially those processing untrusted matrix files locally.

The primary impact of this vulnerability is memory corruption, which can lead to application crashes or undefined behavior, potentially causing denial of service. In some cases, memory corruption vulnerabilities can be leveraged to execute arbitrary code, compromising system integrity and confidentiality. Since exploitation requires local access, the threat is limited to attackers who have some level of access to the affected system, such as insiders or attackers who have already breached perimeter defenses. Organizations using libvips in image processing pipelines or applications that load matrix files locally may experience service disruptions or data integrity issues if exploited. The vulnerability could also be chained with other exploits to escalate privileges or move laterally within a network. Given libvips' use in various Linux distributions and software stacks, the impact could be widespread in environments relying on this library for image processing tasks.

To mitigate this vulnerability, organizations should promptly apply the official patch identified by commit d4ce337c76bff1b278d7085c3c4f4725e3aa6ece or upgrade libvips to a version later than 8.18.0 where the issue is resolved. Additionally, restrict local access to trusted users only, minimizing the risk of exploitation by untrusted local actors. Implement strict input validation and sanitization for any matrix files processed by applications using libvips to reduce the risk of malformed inputs triggering the vulnerability. Employ runtime protections such as memory corruption mitigations (e.g., ASLR, DEP) to limit the impact of potential exploitation. Regularly audit and monitor systems for unusual behavior or crashes related to image processing components. Finally, maintain an inventory of software dependencies to quickly identify and remediate vulnerable libvips versions in the environment.