CVE-2026-22695

EUVD-2026-2420

12.01.2026, 23:15

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
libpng	libpng	1.6.51 ≤ 𝑥 < 1.6.54

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libpng1.6

bookworm	vulnerable
bookworm (security)	1.6.39-2+deb12u4 fixed
bullseye	vulnerable
bullseye (security)	1.6.37-3+deb11u3 fixed
forky	1.6.56-1 fixed
sid	1.6.57-1 fixed
trixie	1.6.48-1+deb13u3 fixed
trixie (security)	1.6.48-1+deb13u4 fixed

Known Exploits!

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea

https://github.com/pnggroup/libpng/commit/e4f7ad4ea2

https://github.com/pnggroup/libpng/issues/778

https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp