Vulnerability-Lookup

alsa-2026:14791

Vulnerability from osv_almalinux

Published

2026-05-07 00:00

Modified

2026-05-13 08:43

Summary

Moderate: libpng security update

Details

The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files.

Security Fix(es):

libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:14791	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-33636	REPORT
	https://bugzilla.redhat.com/2451819	REPORT
	https://errata.almalinux.org/9/ALSA-2026-14791.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "libpng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1.6.37-12.el9_7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "libpng-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1.6.37-12.el9_7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files.  \n\nSecurity Fix(es):  \n\n  * libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:14791",
  "modified": "2026-05-13T08:43:03Z",
  "published": "2026-05-07T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:14791"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-33636"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2451819"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-14791.html"
    }
  ],
  "related": [
    "CVE-2026-33636"
  ],
  "summary": "Moderate: libpng security update"
}

CVE-2026-33636 (GCVE-0-2026-33636)

Vulnerability from cvelistv5 – Published: 2026-03-26 16:51 – Updated: 2026-03-26 18:45

Title

LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64

Summary

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

Severity ?

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

CWE

CWE-125 - Out-of-bounds Read
CWE-787 - Out-of-bounds Write

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/pnggroup/libpng/security/advis…	x_refsource_CONFIRM
https://github.com/pnggroup/libpng/commit/7734cda…	x_refsource_MISC
https://github.com/pnggroup/libpng/commit/aba9f18…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
pnggroup	libpng	Affected: >= 1.6.36, < 1.6.56

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T18:45:14.491475Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T18:45:26.631Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libpng",
          "vendor": "pnggroup",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.6.36, \u003c 1.6.56"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng\u0027s ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T16:51:58.289Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3"
        }
      ],
      "source": {
        "advisory": "GHSA-wjr5-c57x-95m2",
        "discovery": "UNKNOWN"
      },
      "title": "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33636",
    "datePublished": "2026-03-26T16:51:58.289Z",
    "dateReserved": "2026-03-23T14:24:11.619Z",
    "dateUpdated": "2026-03-26T18:45:26.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2026:14791

Vulnerability from osv_almalinux

CVE-2026-33636 (GCVE-0-2026-33636)

Tags

Sightings

Nomenclature