Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    26 vulnerabilities by pnggroup

    CVE-2026-40930 (GCVE-0-2026-40930)

    Vulnerability from nvd – Published: 2026-06-04 14:34 – Updated: 2026-06-04 16:37
    VLAI
    Title
    LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body
    Summary
    LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-04T15:05:19.991Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/15/21"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40930",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T16:37:21.465127Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T16:37:38.286Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.8.0"
                }
              ]
            },
            {
              "product": "libpng-apng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.49, \u003c= 1.6.57"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436: Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-04T14:34:51.843Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4"
            }
          ],
          "source": {
            "advisory": "GHSA-c4v6-gxrq-6g2x",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40930",
        "datePublished": "2026-06-04T14:34:51.843Z",
        "dateReserved": "2026-04-15T20:40:15.518Z",
        "dateUpdated": "2026-06-04T16:37:38.286Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34757 (GCVE-0-2026-34757)

    Vulnerability from nvd – Published: 2026-04-09 14:41 – Updated: 2026-05-09 10:21
    VLAI
    Title
    LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.0.9, < 1.6.57
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34757",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T16:07:19.169786Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T16:07:31.052Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-09T10:21:48.394Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00017.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.0.9, \u003c 1.6.57"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T14:41:18.195Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/836",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/836"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/837",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/837"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc"
            }
          ],
          "source": {
            "advisory": "GHSA-6fr7-g8h7-v645",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34757",
        "datePublished": "2026-04-09T14:41:18.195Z",
        "dateReserved": "2026-03-30T19:17:10.225Z",
        "dateUpdated": "2026-05-09T10:21:48.394Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33636 (GCVE-0-2026-33636)

    Vulnerability from nvd – Published: 2026-03-26 16:51 – Updated: 2026-03-26 18:45
    VLAI
    Title
    LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.6.36, < 1.6.56
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T18:45:14.491475Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T18:45:26.631Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.36, \u003c 1.6.56"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng\u0027s ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T16:51:58.289Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3"
            }
          ],
          "source": {
            "advisory": "GHSA-wjr5-c57x-95m2",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33636",
        "datePublished": "2026-03-26T16:51:58.289Z",
        "dateReserved": "2026-03-23T14:24:11.619Z",
        "dateUpdated": "2026-03-26T18:45:26.631Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33416 (GCVE-0-2026-33416)

    Vulnerability from nvd – Published: 2026-03-26 16:48 – Updated: 2026-04-01 03:55
    VLAI
    Title
    LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.2.1, < 1.6.56
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33416",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T03:55:17.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.2.1, \u003c 1.6.56"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr-\u003etrans_alpha = info_ptr-\u003etrans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr-\u003epalette = png_ptr-\u003epalette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T16:48:54.174Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/824",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/824"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"
            }
          ],
          "source": {
            "advisory": "GHSA-m4pc-p4q3-4c7j",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33416",
        "datePublished": "2026-03-26T16:48:54.174Z",
        "dateReserved": "2026-03-19T17:02:34.172Z",
        "dateUpdated": "2026-04-01T03:55:17.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3713 (GCVE-0-2026-3713)

    Vulnerability from nvd – Published: 2026-03-08 06:02 – Updated: 2026-03-11 13:43 X_Open Source
    VLAI
    Title
    pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow
    Summary
    A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: 1.6.0
    Affected: 1.6.1
    Affected: 1.6.2
    Affected: 1.6.3
    Affected: 1.6.4
    Affected: 1.6.5
    Affected: 1.6.6
    Affected: 1.6.7
    Affected: 1.6.8
    Affected: 1.6.9
    Affected: 1.6.10
    Affected: 1.6.11
    Affected: 1.6.12
    Affected: 1.6.13
    Affected: 1.6.14
    Affected: 1.6.15
    Affected: 1.6.16
    Affected: 1.6.17
    Affected: 1.6.18
    Affected: 1.6.19
    Affected: 1.6.20
    Affected: 1.6.21
    Affected: 1.6.22
    Affected: 1.6.23
    Affected: 1.6.24
    Affected: 1.6.25
    Affected: 1.6.26
    Affected: 1.6.27
    Affected: 1.6.28
    Affected: 1.6.29
    Affected: 1.6.30
    Affected: 1.6.31
    Affected: 1.6.32
    Affected: 1.6.33
    Affected: 1.6.34
    Affected: 1.6.35
    Affected: 1.6.36
    Affected: 1.6.37
    Affected: 1.6.38
    Affected: 1.6.39
    Affected: 1.6.40
    Affected: 1.6.41
    Affected: 1.6.42
    Affected: 1.6.43
    Affected: 1.6.44
    Affected: 1.6.45
    Affected: 1.6.46
    Affected: 1.6.47
    Affected: 1.6.48
    Affected: 1.6.49
    Affected: 1.6.50
    Affected: 1.6.51
    Affected: 1.6.52
    Affected: 1.6.53
    Affected: 1.6.54
    Affected: 1.6.55
        cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    biniam (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3713",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-11T13:42:50.906724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-11T13:43:22.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "pnm2png"
              ],
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.6.0"
                },
                {
                  "status": "affected",
                  "version": "1.6.1"
                },
                {
                  "status": "affected",
                  "version": "1.6.2"
                },
                {
                  "status": "affected",
                  "version": "1.6.3"
                },
                {
                  "status": "affected",
                  "version": "1.6.4"
                },
                {
                  "status": "affected",
                  "version": "1.6.5"
                },
                {
                  "status": "affected",
                  "version": "1.6.6"
                },
                {
                  "status": "affected",
                  "version": "1.6.7"
                },
                {
                  "status": "affected",
                  "version": "1.6.8"
                },
                {
                  "status": "affected",
                  "version": "1.6.9"
                },
                {
                  "status": "affected",
                  "version": "1.6.10"
                },
                {
                  "status": "affected",
                  "version": "1.6.11"
                },
                {
                  "status": "affected",
                  "version": "1.6.12"
                },
                {
                  "status": "affected",
                  "version": "1.6.13"
                },
                {
                  "status": "affected",
                  "version": "1.6.14"
                },
                {
                  "status": "affected",
                  "version": "1.6.15"
                },
                {
                  "status": "affected",
                  "version": "1.6.16"
                },
                {
                  "status": "affected",
                  "version": "1.6.17"
                },
                {
                  "status": "affected",
                  "version": "1.6.18"
                },
                {
                  "status": "affected",
                  "version": "1.6.19"
                },
                {
                  "status": "affected",
                  "version": "1.6.20"
                },
                {
                  "status": "affected",
                  "version": "1.6.21"
                },
                {
                  "status": "affected",
                  "version": "1.6.22"
                },
                {
                  "status": "affected",
                  "version": "1.6.23"
                },
                {
                  "status": "affected",
                  "version": "1.6.24"
                },
                {
                  "status": "affected",
                  "version": "1.6.25"
                },
                {
                  "status": "affected",
                  "version": "1.6.26"
                },
                {
                  "status": "affected",
                  "version": "1.6.27"
                },
                {
                  "status": "affected",
                  "version": "1.6.28"
                },
                {
                  "status": "affected",
                  "version": "1.6.29"
                },
                {
                  "status": "affected",
                  "version": "1.6.30"
                },
                {
                  "status": "affected",
                  "version": "1.6.31"
                },
                {
                  "status": "affected",
                  "version": "1.6.32"
                },
                {
                  "status": "affected",
                  "version": "1.6.33"
                },
                {
                  "status": "affected",
                  "version": "1.6.34"
                },
                {
                  "status": "affected",
                  "version": "1.6.35"
                },
                {
                  "status": "affected",
                  "version": "1.6.36"
                },
                {
                  "status": "affected",
                  "version": "1.6.37"
                },
                {
                  "status": "affected",
                  "version": "1.6.38"
                },
                {
                  "status": "affected",
                  "version": "1.6.39"
                },
                {
                  "status": "affected",
                  "version": "1.6.40"
                },
                {
                  "status": "affected",
                  "version": "1.6.41"
                },
                {
                  "status": "affected",
                  "version": "1.6.42"
                },
                {
                  "status": "affected",
                  "version": "1.6.43"
                },
                {
                  "status": "affected",
                  "version": "1.6.44"
                },
                {
                  "status": "affected",
                  "version": "1.6.45"
                },
                {
                  "status": "affected",
                  "version": "1.6.46"
                },
                {
                  "status": "affected",
                  "version": "1.6.47"
                },
                {
                  "status": "affected",
                  "version": "1.6.48"
                },
                {
                  "status": "affected",
                  "version": "1.6.49"
                },
                {
                  "status": "affected",
                  "version": "1.6.50"
                },
                {
                  "status": "affected",
                  "version": "1.6.51"
                },
                {
                  "status": "affected",
                  "version": "1.6.52"
                },
                {
                  "status": "affected",
                  "version": "1.6.53"
                },
                {
                  "status": "affected",
                  "version": "1.6.54"
                },
                {
                  "status": "affected",
                  "version": "1.6.55"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "biniam (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-119",
                  "description": "Memory Corruption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-08T06:02:11.204Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-349658 | pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.349658"
            },
            {
              "name": "VDB-349658 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.349658"
            },
            {
              "name": "Submit #761996 | libpng pnm2png 1.8.0 Integer Overflow to Buffer Overflow",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.761996"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/794"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/biniamf/pocs/tree/main/pnm2png"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/pnggroup/libpng/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-07T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-03-07T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-03-07T11:57:28.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-3713",
        "datePublished": "2026-03-08T06:02:11.204Z",
        "dateReserved": "2026-03-07T10:52:23.533Z",
        "dateUpdated": "2026-03-11T13:43:22.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25646 (GCVE-0-2026-25646)

    Vulnerability from nvd – Published: 2026-02-10 17:04 – Updated: 2026-06-30 12:06
    VLAI
    Title
    LIBPNG has a heap buffer overflow in png_set_quantize
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://github.com/pnggroup/libpng/security/advis… x_refsource_CONFIRM
    https://github.com/pnggroup/libpng/commit/01d03b8… x_refsource_MISC
    http://www.openwall.com/lists/oss-security/2026/02/09/7
    https://access.redhat.com/security/cve/CVE-2026-25646 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2438542 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:4756 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7032 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9254 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:12274 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7239 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:15087 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:14773 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:10097 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:17596 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6553 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7243 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3577 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3551 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9686 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6445 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6439 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7035 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6466 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7036 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6467 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7033 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6469 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7034 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6468 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3573 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4222 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3575 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4221 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3574 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3969 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3576 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3968 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3405 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3031 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4728 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4732 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4731 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4730 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4729 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4306 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9255 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:8748 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:8746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:8747 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:16174 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9687 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:5606 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4501 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6732 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.55
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 7     cpe:/a:redhat:openjdk_els:11::el7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server Optional (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 8     cpe:/a:redhat:openjdk_els:11::el8
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.12     cpe:/a:redhat:openshift:4.12::el8
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 9     cpe:/a:redhat:openjdk_els:11::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.13     cpe:/a:redhat:openshift:4.13::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.14     cpe:/a:redhat:openshift:4.14::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.15     cpe:/a:redhat:openshift:4.15::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.16     cpe:/a:redhat:openshift:4.16::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.17     cpe:/a:redhat:openshift:4.17::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.18     cpe:/a:redhat:openshift:4.18::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.19     cpe:/a:redhat:openshift:4.19::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v. 8.2)     cpe:/a:redhat:rhel_aus:8.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS (v. 8)     cpe:/o:redhat:enterprise_linux:8::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS AUS (v. 8.2)     cpe:/o:redhat:rhel_aus:8.2::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS AUS (v.8.4)     cpe:/o:redhat:rhel_aus:8.4::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)     cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS AUS (v.8.6)     cpe:/o:redhat:rhel_aus:8.6::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS E4S (v.8.6)     cpe:/o:redhat:rhel_e4s:8.6::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS TUS (v.8.6)     cpe:/o:redhat:rhel_tus:8.6::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS E4S (v.8.8)     cpe:/o:redhat:rhel_e4s:8.8::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS TUS (v.8.8)     cpe:/o:redhat:rhel_tus:8.8::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS E4S (v.9.0)     cpe:/o:redhat:rhel_e4s:9.0::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS E4S (v.9.2)     cpe:/o:redhat:rhel_e4s:9.2::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS EUS (v.9.4)     cpe:/o:redhat:rhel_eus:9.4::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS EUS (v.9.6)     cpe:/o:redhat:rhel_eus:9.6::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS (v. 9)     cpe:/o:redhat:enterprise_linux:9::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.31     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat AI Inference Server 3.3     cpe:/a:redhat:ai_inference_server:3.3::el9
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.9     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 8     cpe:/a:redhat:ceph_storage:8::el9
    Create a notification for this product.
    Red Hat Red Hat Discovery 2     cpe:/a:redhat:discovery:2::el9
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 1.8     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 21     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 25     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-02-10T17:25:31.583Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/02/09/7"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25646",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-11T15:31:50.552532Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-11T15:31:58.665Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.12::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.12",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.13::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.14::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.14",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.15::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.15",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.16::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.16",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.17::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.17",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.18::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.18",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.19::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.0::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_aus:8.2::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS AUS (v. 8.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_aus:8.4::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_aus:8.6::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_e4s:8.6::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_tus:8.6::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_e4s:8.8::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_tus:8.8::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_e4s:9.0::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_e4s:9.2::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_eus:9.4::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_eus:9.6::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CRB (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.31",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server 3.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:8::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ceph Storage 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:discovery:2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Discovery 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OpenJDK 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OpenJDK 21",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OpenJDK 25",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-02-10T17:04:38.501Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A heap based buffer overflow flaw has been discovered in LibPNG. Prior to version 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user\u0027s display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-125",
                    "description": "Out-of-bounds Read",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:32.587Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-25646"
              },
              {
                "name": "RHBZ#2438542",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438542"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25646.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4756"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7032"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9254"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:12274"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7239"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:15087"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:14773"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:10097"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:17596"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6553"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7243"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3577"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3551"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9686"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6445"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6439"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7035"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6466"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7036"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6467"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7033"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6469"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7034"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6468"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3573"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4222"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3575"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4221"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3574"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3969"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3576"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3968"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3405"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3031"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4728"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4732"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4731"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4730"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4729"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4306"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9255"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8748"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8746"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8747"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:16174"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9687"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:5606"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4501"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6732"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:4756: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7032: Red Hat Enterprise Linux Server (v. 7 ELS)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9254: Red Hat OpenJDK 11 ELS for RHEL 7, Red Hat OpenJDK 11 ELS for RHEL 8, Red Hat OpenJDK 11 ELS for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:12274: Red Hat OpenShift Container Platform 4.12"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7239: Red Hat OpenShift Container Platform 4.13"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:15087: Red Hat OpenShift Container Platform 4.14"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:14773: Red Hat OpenShift Container Platform 4.15"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:10097: Red Hat OpenShift Container Platform 4.16"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:17596: Red Hat OpenShift Container Platform 4.17"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6553: Red Hat OpenShift Container Platform 4.18"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7243: Red Hat OpenShift Container Platform 4.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3577: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3551: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9686: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6445: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6439: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7035: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6466: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7036: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6467: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7033: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6469: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7034: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6468: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3573: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4222: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3575: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4221: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3574: Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3969: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3576: Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3968: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3405: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3031: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4728: Red Hat Enterprise Linux BaseOS (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4732: Red Hat Enterprise Linux BaseOS AUS (v. 8.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4731: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4730: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4729: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4306: Red Hat Enterprise Linux CRB (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9255: OPENJDK ELS 11.0.31"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8748: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8746: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8747: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:16174: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9687: Red Hat Build of OpenJDK 17.0.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:5606: Red Hat Ceph Storage 8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4501: Red Hat Discovery 2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6732: Red Hat Hardened Images"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-02-10T18:01:28.232Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-02-10T17:04:38.501Z",
                "value": "Made public."
              }
            ],
            "title": "libpng: LIBPNG has a heap buffer overflow in png_set_quantize",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.55"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user\u0027s display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-126",
                  "description": "CWE-126: Buffer Over-read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T17:04:38.501Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88"
            }
          ],
          "source": {
            "advisory": "GHSA-g8hp-mq4h-rqm3",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has a heap buffer overflow in png_set_quantize"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25646",
        "datePublished": "2026-02-10T17:04:38.501Z",
        "dateReserved": "2026-02-04T05:15:41.791Z",
        "dateUpdated": "2026-06-30T12:06:32.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22801 (GCVE-0-2026-22801)

    Vulnerability from nvd – Published: 2026-01-12 22:57 – Updated: 2026-01-13 19:37
    VLAI
    Title
    LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-125 - Out-of-bounds Read
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.54
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22801",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-13T19:37:38.282435Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-13T19:37:45.414Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.54"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-12T22:57:58.288Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8"
            }
          ],
          "source": {
            "advisory": "GHSA-vgjq-8cw5-ggw8",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-22801",
        "datePublished": "2026-01-12T22:57:58.288Z",
        "dateReserved": "2026-01-09T22:50:10.287Z",
        "dateUpdated": "2026-01-13T19:37:45.414Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22695 (GCVE-0-2026-22695)

    Vulnerability from nvd – Published: 2026-01-12 22:55 – Updated: 2026-01-13 19:07
    VLAI
    Title
    LIBPNG has a heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix)
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.54
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22695",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-13T14:13:00.487878Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-13T19:07:10.972Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.54"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-12T22:55:40.204Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/778",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/778"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/e4f7ad4ea2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/e4f7ad4ea2"
            }
          ],
          "source": {
            "advisory": "GHSA-mmq5-27w3-rxpp",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has a heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-22695",
        "datePublished": "2026-01-12T22:55:40.204Z",
        "dateReserved": "2026-01-08T19:23:09.855Z",
        "dateUpdated": "2026-01-13T19:07:10.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66293 (GCVE-0-2025-66293)

    Vulnerability from nvd – Published: 2025-12-03 20:33 – Updated: 2025-12-04 01:31
    VLAI
    Title
    LIBPNG has an out-of-bounds read in png_image_read_composite
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.52
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66293",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T20:52:13.771582Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T20:55:03.573Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/issues/764"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-04T01:31:47.574Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/6"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/7"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.52"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng\u0027s simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng\u0027s internal state management. Upgrade to libpng 1.6.52 or later."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-03T20:33:57.086Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/764",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/764"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a"
            }
          ],
          "source": {
            "advisory": "GHSA-9mpm-9pxh-mg4f",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has an out-of-bounds read in png_image_read_composite"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66293",
        "datePublished": "2025-12-03T20:33:57.086Z",
        "dateReserved": "2025-11-26T23:11:46.392Z",
        "dateUpdated": "2025-12-04T01:31:47.574Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65018 (GCVE-0-2025-65018)

    Vulnerability from nvd – Published: 2025-11-24 23:50 – Updated: 2025-11-25 19:29
    VLAI
    Title
    LIBPNG is vulnerable to a heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.6.0, < 1.6.51
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65018",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-25T19:29:28.950712Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-25T19:29:33.633Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/issues/755"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.51"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T23:50:18.294Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/755",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/755"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/757",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/757"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea"
            }
          ],
          "source": {
            "advisory": "GHSA-7wv6-48j4-hj3g",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG is vulnerable to a heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65018",
        "datePublished": "2025-11-24T23:50:18.294Z",
        "dateReserved": "2025-11-13T15:36:51.680Z",
        "dateUpdated": "2025-11-25T19:29:33.633Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64720 (GCVE-0-2025-64720)

    Vulnerability from nvd – Published: 2025-11-24 23:45 – Updated: 2025-11-25 19:28
    VLAI
    Title
    LIBPNG is vulnerable to a buffer overflow in `png_image_read_composite` via incorrect palette premultiplication
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.6.0, < 1.6.51
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64720",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-25T19:28:16.806638Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-25T19:28:20.336Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.51"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component \u2264 alpha \u00d7 257 required by the simplified PNG API. This issue has been patched in version 1.6.51."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T23:45:38.315Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/686",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/686"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/751",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/751"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643"
            }
          ],
          "source": {
            "advisory": "GHSA-hfc7-ph9c-wcww",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG is vulnerable to a buffer overflow in `png_image_read_composite` via incorrect palette premultiplication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64720",
        "datePublished": "2025-11-24T23:45:38.315Z",
        "dateReserved": "2025-11-10T14:07:42.922Z",
        "dateUpdated": "2025-11-25T19:28:20.336Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64506 (GCVE-0-2025-64506)

    Vulnerability from nvd – Published: 2025-11-24 23:41 – Updated: 2025-11-25 19:27
    VLAI
    Title
    LIBPNG is vulnerable to a heap buffer over-read in `png_write_image_8bit` with grayscale+alpha or RGB/RGBA images
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.6.0, < 1.6.51
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-25T19:26:55.005617Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-25T19:27:04.161Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.51"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng\u0027s png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T23:41:09.207Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/749",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/749"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821"
            }
          ],
          "source": {
            "advisory": "GHSA-qpr4-xm66-hww6",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG is vulnerable to a heap buffer over-read in `png_write_image_8bit` with grayscale+alpha or RGB/RGBA images"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64506",
        "datePublished": "2025-11-24T23:41:09.207Z",
        "dateReserved": "2025-11-05T21:15:39.399Z",
        "dateUpdated": "2025-11-25T19:27:04.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64505 (GCVE-0-2025-64505)

    Vulnerability from nvd – Published: 2025-11-24 23:38 – Updated: 2025-11-25 18:55
    VLAI
    Title
    LIBPNG is vulnerable to a heap buffer overflow in `png_do_quantize` via malformed palette index
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.51
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64505",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-25T18:55:44.084881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-25T18:55:50.619Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.51"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng\u0027s png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T23:38:40.405Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/748",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/748"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37"
            }
          ],
          "source": {
            "advisory": "GHSA-4952-h5wq-4m42",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG is vulnerable to a heap buffer overflow in `png_do_quantize` via malformed palette index"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64505",
        "datePublished": "2025-11-24T23:38:40.405Z",
        "dateReserved": "2025-11-05T19:12:25.104Z",
        "dateUpdated": "2025-11-25T18:55:50.619Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40930 (GCVE-0-2026-40930)

    Vulnerability from cvelistv5 – Published: 2026-06-04 14:34 – Updated: 2026-06-04 16:37
    VLAI
    Title
    LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body
    Summary
    LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-04T15:05:19.991Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/15/21"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40930",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T16:37:21.465127Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T16:37:38.286Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.8.0"
                }
              ]
            },
            {
              "product": "libpng-apng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.49, \u003c= 1.6.57"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436: Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-04T14:34:51.843Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4"
            }
          ],
          "source": {
            "advisory": "GHSA-c4v6-gxrq-6g2x",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40930",
        "datePublished": "2026-06-04T14:34:51.843Z",
        "dateReserved": "2026-04-15T20:40:15.518Z",
        "dateUpdated": "2026-06-04T16:37:38.286Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34757 (GCVE-0-2026-34757)

    Vulnerability from cvelistv5 – Published: 2026-04-09 14:41 – Updated: 2026-05-09 10:21
    VLAI
    Title
    LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.0.9, < 1.6.57
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34757",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T16:07:19.169786Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T16:07:31.052Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-09T10:21:48.394Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00017.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.0.9, \u003c 1.6.57"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T14:41:18.195Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/836",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/836"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/837",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/837"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc"
            }
          ],
          "source": {
            "advisory": "GHSA-6fr7-g8h7-v645",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34757",
        "datePublished": "2026-04-09T14:41:18.195Z",
        "dateReserved": "2026-03-30T19:17:10.225Z",
        "dateUpdated": "2026-05-09T10:21:48.394Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33636 (GCVE-0-2026-33636)

    Vulnerability from cvelistv5 – Published: 2026-03-26 16:51 – Updated: 2026-03-26 18:45
    VLAI
    Title
    LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.6.36, < 1.6.56
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T18:45:14.491475Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T18:45:26.631Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.36, \u003c 1.6.56"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng\u0027s ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T16:51:58.289Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3"
            }
          ],
          "source": {
            "advisory": "GHSA-wjr5-c57x-95m2",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33636",
        "datePublished": "2026-03-26T16:51:58.289Z",
        "dateReserved": "2026-03-23T14:24:11.619Z",
        "dateUpdated": "2026-03-26T18:45:26.631Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33416 (GCVE-0-2026-33416)

    Vulnerability from cvelistv5 – Published: 2026-03-26 16:48 – Updated: 2026-04-01 03:55
    VLAI
    Title
    LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.2.1, < 1.6.56
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33416",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T03:55:17.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.2.1, \u003c 1.6.56"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr-\u003etrans_alpha = info_ptr-\u003etrans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr-\u003epalette = png_ptr-\u003epalette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T16:48:54.174Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/824",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/824"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"
            }
          ],
          "source": {
            "advisory": "GHSA-m4pc-p4q3-4c7j",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33416",
        "datePublished": "2026-03-26T16:48:54.174Z",
        "dateReserved": "2026-03-19T17:02:34.172Z",
        "dateUpdated": "2026-04-01T03:55:17.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3713 (GCVE-0-2026-3713)

    Vulnerability from cvelistv5 – Published: 2026-03-08 06:02 – Updated: 2026-03-11 13:43 X_Open Source
    VLAI
    Title
    pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow
    Summary
    A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: 1.6.0
    Affected: 1.6.1
    Affected: 1.6.2
    Affected: 1.6.3
    Affected: 1.6.4
    Affected: 1.6.5
    Affected: 1.6.6
    Affected: 1.6.7
    Affected: 1.6.8
    Affected: 1.6.9
    Affected: 1.6.10
    Affected: 1.6.11
    Affected: 1.6.12
    Affected: 1.6.13
    Affected: 1.6.14
    Affected: 1.6.15
    Affected: 1.6.16
    Affected: 1.6.17
    Affected: 1.6.18
    Affected: 1.6.19
    Affected: 1.6.20
    Affected: 1.6.21
    Affected: 1.6.22
    Affected: 1.6.23
    Affected: 1.6.24
    Affected: 1.6.25
    Affected: 1.6.26
    Affected: 1.6.27
    Affected: 1.6.28
    Affected: 1.6.29
    Affected: 1.6.30
    Affected: 1.6.31
    Affected: 1.6.32
    Affected: 1.6.33
    Affected: 1.6.34
    Affected: 1.6.35
    Affected: 1.6.36
    Affected: 1.6.37
    Affected: 1.6.38
    Affected: 1.6.39
    Affected: 1.6.40
    Affected: 1.6.41
    Affected: 1.6.42
    Affected: 1.6.43
    Affected: 1.6.44
    Affected: 1.6.45
    Affected: 1.6.46
    Affected: 1.6.47
    Affected: 1.6.48
    Affected: 1.6.49
    Affected: 1.6.50
    Affected: 1.6.51
    Affected: 1.6.52
    Affected: 1.6.53
    Affected: 1.6.54
    Affected: 1.6.55
        cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    biniam (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3713",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-11T13:42:50.906724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-11T13:43:22.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "pnm2png"
              ],
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.6.0"
                },
                {
                  "status": "affected",
                  "version": "1.6.1"
                },
                {
                  "status": "affected",
                  "version": "1.6.2"
                },
                {
                  "status": "affected",
                  "version": "1.6.3"
                },
                {
                  "status": "affected",
                  "version": "1.6.4"
                },
                {
                  "status": "affected",
                  "version": "1.6.5"
                },
                {
                  "status": "affected",
                  "version": "1.6.6"
                },
                {
                  "status": "affected",
                  "version": "1.6.7"
                },
                {
                  "status": "affected",
                  "version": "1.6.8"
                },
                {
                  "status": "affected",
                  "version": "1.6.9"
                },
                {
                  "status": "affected",
                  "version": "1.6.10"
                },
                {
                  "status": "affected",
                  "version": "1.6.11"
                },
                {
                  "status": "affected",
                  "version": "1.6.12"
                },
                {
                  "status": "affected",
                  "version": "1.6.13"
                },
                {
                  "status": "affected",
                  "version": "1.6.14"
                },
                {
                  "status": "affected",
                  "version": "1.6.15"
                },
                {
                  "status": "affected",
                  "version": "1.6.16"
                },
                {
                  "status": "affected",
                  "version": "1.6.17"
                },
                {
                  "status": "affected",
                  "version": "1.6.18"
                },
                {
                  "status": "affected",
                  "version": "1.6.19"
                },
                {
                  "status": "affected",
                  "version": "1.6.20"
                },
                {
                  "status": "affected",
                  "version": "1.6.21"
                },
                {
                  "status": "affected",
                  "version": "1.6.22"
                },
                {
                  "status": "affected",
                  "version": "1.6.23"
                },
                {
                  "status": "affected",
                  "version": "1.6.24"
                },
                {
                  "status": "affected",
                  "version": "1.6.25"
                },
                {
                  "status": "affected",
                  "version": "1.6.26"
                },
                {
                  "status": "affected",
                  "version": "1.6.27"
                },
                {
                  "status": "affected",
                  "version": "1.6.28"
                },
                {
                  "status": "affected",
                  "version": "1.6.29"
                },
                {
                  "status": "affected",
                  "version": "1.6.30"
                },
                {
                  "status": "affected",
                  "version": "1.6.31"
                },
                {
                  "status": "affected",
                  "version": "1.6.32"
                },
                {
                  "status": "affected",
                  "version": "1.6.33"
                },
                {
                  "status": "affected",
                  "version": "1.6.34"
                },
                {
                  "status": "affected",
                  "version": "1.6.35"
                },
                {
                  "status": "affected",
                  "version": "1.6.36"
                },
                {
                  "status": "affected",
                  "version": "1.6.37"
                },
                {
                  "status": "affected",
                  "version": "1.6.38"
                },
                {
                  "status": "affected",
                  "version": "1.6.39"
                },
                {
                  "status": "affected",
                  "version": "1.6.40"
                },
                {
                  "status": "affected",
                  "version": "1.6.41"
                },
                {
                  "status": "affected",
                  "version": "1.6.42"
                },
                {
                  "status": "affected",
                  "version": "1.6.43"
                },
                {
                  "status": "affected",
                  "version": "1.6.44"
                },
                {
                  "status": "affected",
                  "version": "1.6.45"
                },
                {
                  "status": "affected",
                  "version": "1.6.46"
                },
                {
                  "status": "affected",
                  "version": "1.6.47"
                },
                {
                  "status": "affected",
                  "version": "1.6.48"
                },
                {
                  "status": "affected",
                  "version": "1.6.49"
                },
                {
                  "status": "affected",
                  "version": "1.6.50"
                },
                {
                  "status": "affected",
                  "version": "1.6.51"
                },
                {
                  "status": "affected",
                  "version": "1.6.52"
                },
                {
                  "status": "affected",
                  "version": "1.6.53"
                },
                {
                  "status": "affected",
                  "version": "1.6.54"
                },
                {
                  "status": "affected",
                  "version": "1.6.55"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "biniam (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-119",
                  "description": "Memory Corruption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-08T06:02:11.204Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-349658 | pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.349658"
            },
            {
              "name": "VDB-349658 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.349658"
            },
            {
              "name": "Submit #761996 | libpng pnm2png 1.8.0 Integer Overflow to Buffer Overflow",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.761996"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/794"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/biniamf/pocs/tree/main/pnm2png"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/pnggroup/libpng/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-07T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-03-07T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-03-07T11:57:28.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-3713",
        "datePublished": "2026-03-08T06:02:11.204Z",
        "dateReserved": "2026-03-07T10:52:23.533Z",
        "dateUpdated": "2026-03-11T13:43:22.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25646 (GCVE-0-2026-25646)

    Vulnerability from cvelistv5 – Published: 2026-02-10 17:04 – Updated: 2026-06-30 12:06
    VLAI
    Title
    LIBPNG has a heap buffer overflow in png_set_quantize
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://github.com/pnggroup/libpng/security/advis… x_refsource_CONFIRM
    https://github.com/pnggroup/libpng/commit/01d03b8… x_refsource_MISC
    http://www.openwall.com/lists/oss-security/2026/02/09/7
    https://access.redhat.com/security/cve/CVE-2026-25646 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2438542 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:4756 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7032 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9254 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:12274 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7239 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:15087 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:14773 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:10097 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:17596 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6553 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7243 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3577 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3551 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9686 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6445 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6439 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7035 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6466 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7036 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6467 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7033 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6469 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7034 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6468 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3573 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4222 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3575 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4221 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3574 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3969 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3576 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3968 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3405 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:3031 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4728 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4732 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4731 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4730 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4729 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4306 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9255 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:8748 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:8746 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:8747 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:16174 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9687 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:5606 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:4501 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6732 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.55
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 7     cpe:/a:redhat:openjdk_els:11::el7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server Optional (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 8     cpe:/a:redhat:openjdk_els:11::el8
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.12     cpe:/a:redhat:openshift:4.12::el8
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 9     cpe:/a:redhat:openjdk_els:11::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.13     cpe:/a:redhat:openshift:4.13::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.14     cpe:/a:redhat:openshift:4.14::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.15     cpe:/a:redhat:openshift:4.15::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.16     cpe:/a:redhat:openshift:4.16::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.17     cpe:/a:redhat:openshift:4.17::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.18     cpe:/a:redhat:openshift:4.18::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4.19     cpe:/a:redhat:openshift:4.19::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v. 8.2)     cpe:/a:redhat:rhel_aus:8.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS (v. 8)     cpe:/o:redhat:enterprise_linux:8::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS AUS (v. 8.2)     cpe:/o:redhat:rhel_aus:8.2::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS AUS (v.8.4)     cpe:/o:redhat:rhel_aus:8.4::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)     cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS AUS (v.8.6)     cpe:/o:redhat:rhel_aus:8.6::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS E4S (v.8.6)     cpe:/o:redhat:rhel_e4s:8.6::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS TUS (v.8.6)     cpe:/o:redhat:rhel_tus:8.6::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS E4S (v.8.8)     cpe:/o:redhat:rhel_e4s:8.8::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS TUS (v.8.8)     cpe:/o:redhat:rhel_tus:8.8::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS E4S (v.9.0)     cpe:/o:redhat:rhel_e4s:9.0::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS E4S (v.9.2)     cpe:/o:redhat:rhel_e4s:9.2::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS EUS (v.9.4)     cpe:/o:redhat:rhel_eus:9.4::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS EUS (v.9.6)     cpe:/o:redhat:rhel_eus:9.6::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux BaseOS (v. 9)     cpe:/o:redhat:enterprise_linux:9::baseos
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.31     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat AI Inference Server 3.3     cpe:/a:redhat:ai_inference_server:3.3::el9
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.9     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Ceph Storage 8     cpe:/a:redhat:ceph_storage:8::el9
    Create a notification for this product.
    Red Hat Red Hat Discovery 2     cpe:/a:redhat:discovery:2::el9
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 1.8     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 21     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 25     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-02-10T17:25:31.583Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/02/09/7"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25646",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-11T15:31:50.552532Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-11T15:31:58.665Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.12::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.12",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.13::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.14::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.14",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.15::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.15",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.16::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.16",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.17::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.17",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.18::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.18",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.19::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.0::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_aus:8.2::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS AUS (v. 8.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_aus:8.4::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_aus:8.6::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_e4s:8.6::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_tus:8.6::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_e4s:8.8::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_tus:8.8::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_e4s:9.0::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_e4s:9.2::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_eus:9.4::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_eus:9.6::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9::baseos"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux BaseOS (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CRB (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.31",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ai_inference_server:3.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AI Inference Server 3.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ceph_storage:8::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ceph Storage 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:discovery:2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Discovery 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OpenJDK 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OpenJDK 21",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OpenJDK 25",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-02-10T17:04:38.501Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A heap based buffer overflow flaw has been discovered in LibPNG. Prior to version 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user\u0027s display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-125",
                    "description": "Out-of-bounds Read",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:32.587Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-25646"
              },
              {
                "name": "RHBZ#2438542",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438542"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25646.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4756"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7032"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9254"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:12274"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7239"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:15087"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:14773"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:10097"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:17596"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6553"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7243"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3577"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3551"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9686"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6445"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6439"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7035"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6466"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7036"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6467"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7033"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6469"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7034"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6468"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3573"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4222"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3575"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4221"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3574"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3969"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3576"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3968"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3405"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:3031"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4728"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4732"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4731"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4730"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4729"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4306"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9255"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8748"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8746"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8747"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:16174"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9687"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:5606"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4501"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6732"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:4756: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7032: Red Hat Enterprise Linux Server (v. 7 ELS)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9254: Red Hat OpenJDK 11 ELS for RHEL 7, Red Hat OpenJDK 11 ELS for RHEL 8, Red Hat OpenJDK 11 ELS for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:12274: Red Hat OpenShift Container Platform 4.12"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7239: Red Hat OpenShift Container Platform 4.13"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:15087: Red Hat OpenShift Container Platform 4.14"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:14773: Red Hat OpenShift Container Platform 4.15"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:10097: Red Hat OpenShift Container Platform 4.16"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:17596: Red Hat OpenShift Container Platform 4.17"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6553: Red Hat OpenShift Container Platform 4.18"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7243: Red Hat OpenShift Container Platform 4.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3577: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3551: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9686: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6445: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6439: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7035: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6466: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7036: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6467: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7033: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6469: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7034: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6468: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3573: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4222: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3575: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4221: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3574: Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3969: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3576: Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3968: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3405: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:3031: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4728: Red Hat Enterprise Linux BaseOS (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4732: Red Hat Enterprise Linux BaseOS AUS (v. 8.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4731: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4730: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4729: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4306: Red Hat Enterprise Linux CRB (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9255: OPENJDK ELS 11.0.31"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8748: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8746: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8747: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:16174: Red Hat AI Inference Server 3.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9687: Red Hat Build of OpenJDK 17.0.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:5606: Red Hat Ceph Storage 8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4501: Red Hat Discovery 2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6732: Red Hat Hardened Images"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-02-10T18:01:28.232Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-02-10T17:04:38.501Z",
                "value": "Made public."
              }
            ],
            "title": "libpng: LIBPNG has a heap buffer overflow in png_set_quantize",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.55"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user\u0027s display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-126",
                  "description": "CWE-126: Buffer Over-read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T17:04:38.501Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88"
            }
          ],
          "source": {
            "advisory": "GHSA-g8hp-mq4h-rqm3",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has a heap buffer overflow in png_set_quantize"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25646",
        "datePublished": "2026-02-10T17:04:38.501Z",
        "dateReserved": "2026-02-04T05:15:41.791Z",
        "dateUpdated": "2026-06-30T12:06:32.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22801 (GCVE-0-2026-22801)

    Vulnerability from cvelistv5 – Published: 2026-01-12 22:57 – Updated: 2026-01-13 19:37
    VLAI
    Title
    LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-125 - Out-of-bounds Read
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.54
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22801",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-13T19:37:38.282435Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-13T19:37:45.414Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.54"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-12T22:57:58.288Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8"
            }
          ],
          "source": {
            "advisory": "GHSA-vgjq-8cw5-ggw8",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-22801",
        "datePublished": "2026-01-12T22:57:58.288Z",
        "dateReserved": "2026-01-09T22:50:10.287Z",
        "dateUpdated": "2026-01-13T19:37:45.414Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22695 (GCVE-0-2026-22695)

    Vulnerability from cvelistv5 – Published: 2026-01-12 22:55 – Updated: 2026-01-13 19:07
    VLAI
    Title
    LIBPNG has a heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix)
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.54
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22695",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-13T14:13:00.487878Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-13T19:07:10.972Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.54"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-12T22:55:40.204Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/778",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/778"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/e4f7ad4ea2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/e4f7ad4ea2"
            }
          ],
          "source": {
            "advisory": "GHSA-mmq5-27w3-rxpp",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has a heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-22695",
        "datePublished": "2026-01-12T22:55:40.204Z",
        "dateReserved": "2026-01-08T19:23:09.855Z",
        "dateUpdated": "2026-01-13T19:07:10.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66293 (GCVE-0-2025-66293)

    Vulnerability from cvelistv5 – Published: 2025-12-03 20:33 – Updated: 2025-12-04 01:31
    VLAI
    Title
    LIBPNG has an out-of-bounds read in png_image_read_composite
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.52
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66293",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T20:52:13.771582Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T20:55:03.573Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/issues/764"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-04T01:31:47.574Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/6"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/7"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.52"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng\u0027s simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng\u0027s internal state management. Upgrade to libpng 1.6.52 or later."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-03T20:33:57.086Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/764",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/764"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a"
            }
          ],
          "source": {
            "advisory": "GHSA-9mpm-9pxh-mg4f",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG has an out-of-bounds read in png_image_read_composite"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66293",
        "datePublished": "2025-12-03T20:33:57.086Z",
        "dateReserved": "2025-11-26T23:11:46.392Z",
        "dateUpdated": "2025-12-04T01:31:47.574Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65018 (GCVE-0-2025-65018)

    Vulnerability from cvelistv5 – Published: 2025-11-24 23:50 – Updated: 2025-11-25 19:29
    VLAI
    Title
    LIBPNG is vulnerable to a heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.6.0, < 1.6.51
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65018",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-25T19:29:28.950712Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-25T19:29:33.633Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/issues/755"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.51"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T23:50:18.294Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/755",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/755"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/757",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/757"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea"
            }
          ],
          "source": {
            "advisory": "GHSA-7wv6-48j4-hj3g",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG is vulnerable to a heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65018",
        "datePublished": "2025-11-24T23:50:18.294Z",
        "dateReserved": "2025-11-13T15:36:51.680Z",
        "dateUpdated": "2025-11-25T19:29:33.633Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64720 (GCVE-0-2025-64720)

    Vulnerability from cvelistv5 – Published: 2025-11-24 23:45 – Updated: 2025-11-25 19:28
    VLAI
    Title
    LIBPNG is vulnerable to a buffer overflow in `png_image_read_composite` via incorrect palette premultiplication
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.6.0, < 1.6.51
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64720",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-25T19:28:16.806638Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-25T19:28:20.336Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.51"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component \u2264 alpha \u00d7 257 required by the simplified PNG API. This issue has been patched in version 1.6.51."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T23:45:38.315Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww"
            },
            {
              "name": "https://github.com/pnggroup/libpng/issues/686",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/issues/686"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/751",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/751"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643"
            }
          ],
          "source": {
            "advisory": "GHSA-hfc7-ph9c-wcww",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG is vulnerable to a buffer overflow in `png_image_read_composite` via incorrect palette premultiplication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64720",
        "datePublished": "2025-11-24T23:45:38.315Z",
        "dateReserved": "2025-11-10T14:07:42.922Z",
        "dateUpdated": "2025-11-25T19:28:20.336Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64506 (GCVE-0-2025-64506)

    Vulnerability from cvelistv5 – Published: 2025-11-24 23:41 – Updated: 2025-11-25 19:27
    VLAI
    Title
    LIBPNG is vulnerable to a heap buffer over-read in `png_write_image_8bit` with grayscale+alpha or RGB/RGBA images
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: >= 1.6.0, < 1.6.51
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-25T19:26:55.005617Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-25T19:27:04.161Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.51"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng\u0027s png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T23:41:09.207Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/749",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/749"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821"
            }
          ],
          "source": {
            "advisory": "GHSA-qpr4-xm66-hww6",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG is vulnerable to a heap buffer over-read in `png_write_image_8bit` with grayscale+alpha or RGB/RGBA images"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64506",
        "datePublished": "2025-11-24T23:41:09.207Z",
        "dateReserved": "2025-11-05T21:15:39.399Z",
        "dateUpdated": "2025-11-25T19:27:04.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64505 (GCVE-0-2025-64505)

    Vulnerability from cvelistv5 – Published: 2025-11-24 23:38 – Updated: 2025-11-25 18:55
    VLAI
    Title
    LIBPNG is vulnerable to a heap buffer overflow in `png_do_quantize` via malformed palette index
    Summary
    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    pnggroup libpng Affected: < 1.6.51
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64505",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-25T18:55:44.084881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-25T18:55:50.619Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "libpng",
              "vendor": "pnggroup",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.51"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng\u0027s png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-24T23:38:40.405Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42"
            },
            {
              "name": "https://github.com/pnggroup/libpng/pull/748",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/pull/748"
            },
            {
              "name": "https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37"
            }
          ],
          "source": {
            "advisory": "GHSA-4952-h5wq-4m42",
            "discovery": "UNKNOWN"
          },
          "title": "LIBPNG is vulnerable to a heap buffer overflow in `png_do_quantize` via malformed palette index"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64505",
        "datePublished": "2025-11-24T23:38:40.405Z",
        "dateReserved": "2025-11-05T19:12:25.104Z",
        "dateUpdated": "2025-11-25T18:55:50.619Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }