CVE-2026-40930 - Vulnerability Details

- LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body

Description

LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue.

Published: 2026-06-04

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In libpng version 1.8.0, the push‑mode APNG parser contains three paths that discard inter‑frame chunks without clearing the chunk‑header flag and without consuming the chunk body and CRC. This flaw allows attacker‑controlled bytes in an ignored ancillary chunk to be interpreted as a fresh chunk header on the next call to png_process_data. The resulting header smuggling can alter how the parser processes image data, potentially leading to memory corruption, crashes or unintended control flow.

Affected Systems

The flaw affects libpng and libpng‑apng libraries distributed by the pnggroup, specifically the 1.8.0 release. Applications that link against these versions and parse APNG files are at risk. The vulnerability is fixed in commits after faf06924688b62d7c1654b5ceddedbde66ffadb4.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity and the CVSS vector points to a local impact when an attacker can supply a malicious PNG. EPSS is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is a crafted APNG file delivered to an application that parses APNG, which is inferred from the description. Although the exploit may not immediately result in code execution, improper header handling can cause crashes or memory corruption, which in some contexts could be leveraged for further exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pnggroup

libpng

affected

Version	Status	Constraints
`= 1.8.0`	affected	—

pnggroup

libpng-apng

affected

Version	Status	Constraints
`>= 1.6.49, <= 1.6.57`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade libpng to a version that contains the fix (commit faf06924688b62d7c1654b5ceddedbde66ffadb4 or later releases such as 1.8.1).
If an upgrade cannot occur immediately, modify or configure the application to disable APNG support or prevent processing of untrusted PNG inputs.
Implement input validation to reject PNGs containing unrecognized or oversized ancillary chunks beyond expected limits and monitor logs for parsing errors or crashes.

Generated by OpenCVE AI on June 4, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/15/21
https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4
https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x

History

Thu, 04 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/15/21

Thu, 04 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue.
Title		LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body
Weaknesses		CWE-436
References		https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4 https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-04T14:34:51.843Z

Updated: 2026-06-04T16:37:38.286Z

Reserved: 2026-04-15T20:40:15.518Z

Link: CVE-2026-40930

Vulnrichment

Updated: 2026-06-04T15:05:19.991Z

NVD

Status : Undergoing Analysis

Published: 2026-06-04T16:16:36.633

Modified: 2026-06-04T16:23:52.530

Link: CVE-2026-40930

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T16:30:06Z

Weaknesses

CWE-436

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object