Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
Published: 2026-01-12
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap buffer over‑read leading to potential information disclosure
Action: Patch or Update
AI Analysis

Impact

The flaw is an integer truncation in the simplified write API functions png_write_image_16bit and png_write_image_8bit that permits a heap buffer over‑read when a negative row stride or a stride larger than 65535 bytes is supplied. This defect allows applications that link against libpng to read memory beyond the intended buffer boundaries, potentially leaking sensitive data. The vulnerability is classified under CWE‑125 (Buffer Over‑read) and CWE‑190 (Integer Overflow) due to the truncation of stride values during casting.

Affected Systems

Library: libpng from the pnggroup organization. Versions 1.6.26 through 1.6.53 are affected; the problem was introduced in 1.6.26 and fixed in 1.6.54. Applications that invoke png_write_image_16bit or png_write_image_8bit with improper stride parameters run the risk of memory disclosure.

Risk and Exploitability

The CVSS base score of 6.8 indicates a moderate impact. EPSS is below 1%, suggesting a very low likelihood of exploitation in the near term, and the vulnerability is not listed in CISA's KEV catalog. Nevertheless, an attacker who controls image processing routines could supply a negative stride or an excessively large stride to trigger the over‑read, exposing arbitrary heap contents and compromising confidentiality of the host system or application.

Generated by OpenCVE AI on April 18, 2026 at 06:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the libpng library to version 1.6.54 or later, which contains the fix for the integer truncation bug.
  • Validate any stride parameters before calling png_write_image_16bit or png_write_image_8bit, ensuring that the stride is non‑negative and less than 65536.
  • Perform a code review or static analysis of all image‑writing functionality to identify and replace any remaining calls to the vulnerable functions with safer alternatives.

Generated by OpenCVE AI on April 18, 2026 at 06:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4481-1 libpng1.6 security update
Debian DSA Debian DSA DSA-6138-1 libpng1.6 security update
Ubuntu USN Ubuntu USN USN-7963-1 libpng vulnerabilities
Ubuntu USN Ubuntu USN USN-8035-1 libpng vulnerabilities
History

Wed, 21 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Libpng
Libpng libpng
Vendors & Products Libpng
Libpng libpng

Mon, 12 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
Title LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*
Weaknesses CWE-125
CWE-190
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Libpng Libpng
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:37:45.414Z

Reserved: 2026-01-09T22:50:10.287Z

Link: CVE-2026-22801

cve-icon Vulnrichment

Updated: 2026-01-13T19:37:42.858Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T23:15:52.907

Modified: 2026-01-21T18:58:18.270

Link: CVE-2026-22801

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-12T22:57:58Z

Links: CVE-2026-22801 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses