CVE-2026-3147 identifies a heap-based buffer overflow vulnerability in the libvips image processing library, affecting all versions up to 8.18.0. The vulnerability resides in the function vips_foreign_load_csv_build within the csvload.c source file, which is responsible for loading CSV data. Improper handling of CSV input data leads to a heap overflow, allowing an attacker with local access and low privileges to corrupt memory. This corruption can result in application crashes or potentially arbitrary code execution, depending on the exploit's sophistication. The vulnerability does not require user interaction but does require local access, limiting remote exploitation. The CVSS 4.0 vector indicates low attack complexity and privileges required, with no user interaction needed, and partial impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, proof-of-concept code has been published, increasing the urgency for patching. The patch identified by commit b3ab458a25e0e261cbd1788474bbc763f7435780 fixes the issue by correcting the buffer handling logic. This vulnerability is particularly relevant for environments that utilize libvips for image processing tasks involving CSV data, such as media servers, content management systems, and data analytics platforms.

The primary impact of CVE-2026-3147 is the potential for local attackers to exploit the heap-based buffer overflow to cause denial of service via application crashes or, in worst cases, execute arbitrary code with the privileges of the vulnerable application. This can lead to system compromise, data corruption, or disruption of critical image processing workflows. Organizations relying on libvips in their software stacks, especially those processing untrusted CSV data locally, face increased risk of insider threats or exploitation by malicious users with local access. The medium CVSS score reflects the moderate risk due to the local attack vector and the requirement for low privileges but no user interaction. However, the availability of public exploit code raises the likelihood of exploitation attempts. The vulnerability could affect a wide range of industries including media, technology, and data analytics, potentially impacting service availability and data integrity.

To mitigate CVE-2026-3147, organizations should promptly apply the official patch identified by commit b3ab458a25e0e261cbd1788474bbc763f7435780 to all affected libvips versions up to 8.18.0. Additionally, restrict local access to systems running vulnerable libvips instances by enforcing strict access controls and monitoring for unauthorized local activity. Employ application whitelisting and privilege separation to limit the impact of potential exploitation. Validate and sanitize all CSV inputs rigorously before processing to reduce the risk of malformed data triggering the overflow. Consider upgrading to libvips versions beyond 8.18.0 where the vulnerability is resolved. Implement runtime protections such as heap canaries and address space layout randomization (ASLR) to mitigate exploitation impact. Regularly audit and monitor logs for unusual behavior related to CSV processing components. Finally, educate local users about the risks of executing untrusted files on systems running libvips.