{"id":"CVE-2026-3282","details":"A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alpha_band can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should be applied to remediate this issue.","modified":"2026-04-12T20:14:06.682912Z","published":"2026-02-27T03:16:02.713Z","references":[{"type":"WEB","url":"https://github.com/libvips/libvips/"},{"type":"ADVISORY","url":"https://vuldb.com/?id.348011"},{"type":"ADVISORY","url":"https://vuldb.com/?submit.758862"},{"type":"REPORT","url":"https://github.com/libvips/libvips/issues/4881"},{"type":"REPORT","url":"https://github.com/libvips/libvips/issues/4881#issue-3944216443"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.348011"},{"type":"FIX","url":"https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91"},{"type":"FIX","url":"https://github.com/libvips/libvips/pull/4886"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libvips/libvips","events":[{"introduced":"0"},{"fixed":"7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91"}]}],"versions":["v7.28.0","v8.0-beta","v8.1","v8.10.0","v8.10.0-beta1","v8.10.0-beta2","v8.10.0-rc1","v8.10.0-rc2","v8.10.6-beta2","v8.11","v8.11.0","v8.11.0-rc1","v8.12.0","v8.12.0-rc1","v8.13.0","v8.13.0-pre1","v8.13.0-rc1","v8.13.0-rc2","v8.14.0","v8.14.0-rc1","v8.15.0","v8.15.0-rc2","v8.16.0","v8.16.0-rc1","v8.16.0-rc2","v8.17.0","v8.17.0-rc1","v8.17.0-test1","v8.17.0-test2","v8.17.0-test3","v8.17.0-test4","v8.18.0","v8.18.0-alpha1","v8.18.0-alpha2","v8.18.0-rc1","v8.18.0-rc2","v8.18.0-rc3","v8.2.2","v8.3.0","v8.5.1","v8.5.2","v8.5.3","v8.6.0","v8.6.0-alpha1","v8.6.0-alpha2","v8.6.0-beta1","v8.6.0-beta2","v8.7.0","v8.7.0-alpha2","v8.7.0-rc1","v8.7.0-rc2","v8.7.0-rc3","v8.8.0","v8.8.0-rc1","v8.8.0-rc2","v8.8.0-rc3","v8.9.0","v8.9.0-alpha1","v8.9.0-beta1","v8.9.0-beta2","v8.9.0-rc1","v8.9.0-rc2","v8.9.0-rc3","v8.9.0-rc4"],"database_specific":{"vanir_signatures_modified":"2026-04-12T20:14:06Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3282.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.19.0"}]}],"vanir_signatures":[{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["228699000367218711452435730317844781358","120818877213528353593399506839222884387","293091068183294860478338276254690602227","166225840008792138840082394730813340931"]},"source":"https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91","signature_version":"v1","id":"CVE-2026-3282-12b464e3","signature_type":"Line","target":{"file":"libvips/conversion/unpremultiply.c"}},{"deprecated":false,"digest":{"length":1054,"function_hash":"30116455859942596165143134174003670732"},"source":"https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91","signature_version":"v1","id":"CVE-2026-3282-adcb5190","signature_type":"Function","target":{"function":"vips_unpremultiply_build","file":"libvips/conversion/unpremultiply.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}