Description
No description is available for this CVE.
Published: n/a
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

The vulnerability is in the libpng library used by OpenJDK, associated with CWE-787 indicating a buffer overflow that may allow memory corruption. The official description is not available, but the weakness type suggests that corrupt writes could lead to arbitrary code execution or data tampering. The primary impact from a security standpoint is the potential compromise of confidentiality or integrity of memory used by affected processes.

Affected Systems

Affected systems include OpenJDK installations that incorporate the libpng library, particularly those maintained by Oracle and other vendors following the Oracle CPU April 2026 advisories. Specific version information is not provided, so any OpenJDK build using the vulnerable libpng implementation is potentially impacted.

Risk and Exploitability

The CVSS score of 7.1 reflects high severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Though the official attack vector is not defined, the nature of a buffer overflow in an image parsing library infers that an attacker could supply a crafted PNG file to trigger the overflow. This could result in arbitrary code execution or process termination. Because no workaround is listed, the recommendation is to apply the vendor patch where available.

Generated by OpenCVE AI on April 28, 2026 at 19:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle CPU April 2026 patch that updates libpng in OpenJDK.
  • If the Oracle patch is not available, upgrade to a newer OpenJDK release that includes the libpng update.
  • As a temporary measure, configure applications to reject or tightly validate any untrusted PNG files before processing.

Generated by OpenCVE AI on April 28, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Oracle
Oracle openjdk
Vendors & Products Oracle
Oracle openjdk

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title openjdk: libpng: OpenJDK: Update LibPNG (Oracle CPU 2026-04)
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

threat_severity

Important

Subscriptions

Oracle Openjdk
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-22020 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:15:25Z

Weaknesses