FKIE_CVE-2026-33636

Vulnerability from fkie_nvd - Published: 2026-03-26 17:16 - Updated: 2026-04-02 18:42
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Summary
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.
References
security-advisories@github.comhttps://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869Patch
security-advisories@github.comhttps://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3Patch
security-advisories@github.comhttps://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2Vendor Advisory, Patch
Impacted products
Vendor Product Version
libpng libpng *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF5DCAF0-FA3A-48A5-857E-C3D960A27025",
              "versionEndExcluding": "1.6.56",
              "versionStartIncluding": "1.6.36",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng\u0027s ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue."
    },
    {
      "lang": "es",
      "value": "LIBPNG es una biblioteca de referencia para uso en aplicaciones que leen, crean y manipulan archivos de imagen r\u00e1ster PNG (Portable Network Graphics). En las versiones 1.6.36 a 1.6.55, existe una lectura y escritura fuera de l\u00edmites en la ruta de expansi\u00f3n de paleta optimizada para Neon de ARM/AArch64 de libpng. Al expandir filas paletizadas de 8 bits a RGB o RGBA, el bucle Neon procesa un fragmento parcial final sin verificar que queden suficientes p\u00edxeles de entrada. Debido a que la implementaci\u00f3n funciona hacia atr\u00e1s desde el final de la fila, la iteraci\u00f3n final desreferencia punteros antes del inicio del b\u00fafer de fila (lectura OOB) y escribe datos de p\u00edxeles expandidos en las mismas posiciones de desbordamiento inferior (escritura OOB). Esto es alcanzable a trav\u00e9s de la decodificaci\u00f3n normal de entrada PNG controlada por el atacante si Neon est\u00e1 habilitado. La versi\u00f3n 1.6.56 corrige el problema."
    }
  ],
  "id": "CVE-2026-33636",
  "lastModified": "2026-04-02T18:42:02.667",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-26T17:16:41.477",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Patch"
      ],
      "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        },
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.