CVE-2026-33636

HIGH EPSS 43.6%
Published Mar 26, 20263mo ago · Modified Jun 17, 20261w ago
7.6 CVSS 3.1
High
Find Similar
Published Mar 26, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

CVSS Details

Base Score
7.6
Exploitability
2.8
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Low
Availability High

Threat Intelligence

EPSS Exploit Probability
43.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-125 Out-of-bounds Read Memory Safety
CWE-787 Out-of-bounds Write Memory Safety

Affected Products 1

VendorProductVersionRange
libpnglibpng*≥1.6.36  –  <1.6.56

References 3

  • github.com https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
    Patch
  • github.com https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
    Patch
  • github.com https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
    PatchVendor Advisory

Remediation

  • github.com https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
    Patch
  • github.com https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
    Patch
  • github.com https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
    PatchVendor Advisory