CVE-2025-29769

low-risk

Published 2025-04-07

libvips is a demand-driven, horizontally threaded image processing library. The heifsave operation could incorrectly determine the presence of an alpha channel in an input when it was not possible to determine the colour interpretation, known internally within libvips as "multiband". There aren't many ways to create a "multiband" input, but it is possible with a well-crafted TIFF image. If a "multiband" TIFF input image had 4 channels and HEIF-based output was requested, this led to libvips creating a 3 channel HEIF image without an alpha channel but then attempting to write 4 channels of data. This caused a heap buffer overflow, which could crash the process. This vulnerability is fixed in 8.16.1.

Do I need to act?

0.10% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (2)

Libvips

Debian Linux

Affected Vendors

Debian Libvips

References (6)

Patch https://github.com/libvips/libvips/commit/9ab6784f693de50b00fa535b9efbbe9d2cbf71...

Issue Tracking https://github.com/libvips/libvips/pull/4392

Issue Tracking https://github.com/libvips/libvips/pull/4394

Patch https://github.com/libvips/libvips/security/advisories/GHSA-f8r8-43hh-rghm

Exploit https://issues.oss-fuzz.com/issues/396460413

Mailing List https://lists.debian.org/debian-lts-announce/2025/04/msg00044.html

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 7/34 · Low