CVE-2026-22801

EUVD-2026-2416
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
libpnglibpng
1.6.26 ≤
𝑥
< 1.6.54
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libpng1.6
bookworm
1.6.39-2+deb12u5
fixed
bookworm (security)
1.6.39-2+deb12u5
fixed
bullseye
vulnerable
bullseye (security)
1.6.37-3+deb11u4
fixed
forky
1.6.58-1
fixed
sid
1.6.58-1
fixed
trixie
1.6.48-1+deb13u5
fixed
trixie (security)
1.6.48-1+deb13u5
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libpng16-16
suse enterprise desktop 15 SP7
1.6.40-150600.3.6.1
fixed
suse enterprise sap 15 SP4
1.6.34-150000.3.19.1
fixed
suse enterprise sap 15 SP5
1.6.34-150000.3.19.1
fixed
suse enterprise sap 15 SP7
1.6.40-150600.3.6.1
fixed
suse enterprise server 15 SP4
1.6.34-150000.3.19.1
fixed
suse enterprise server 15 SP5
1.6.34-150000.3.19.1
fixed
suse enterprise server 15 SP7
1.6.40-150600.3.6.1
fixed
libpng16-16-32bit
suse enterprise desktop 15 SP7
1.6.40-150600.3.6.1
fixed
suse enterprise sap 15 SP4
1.6.34-150000.3.19.1
fixed
suse enterprise sap 15 SP5
1.6.34-150000.3.19.1
fixed
suse enterprise sap 15 SP7
1.6.40-150600.3.6.1
fixed
suse enterprise server 15 SP4
1.6.34-150000.3.19.1
fixed
suse enterprise server 15 SP5
1.6.34-150000.3.19.1
fixed
suse enterprise server 15 SP7
1.6.40-150600.3.6.1
fixed
libpng16-compat-devel
suse enterprise desktop 15 SP7
1.6.40-150600.3.6.1
fixed
suse enterprise sap 15 SP4
1.6.34-150000.3.19.1
fixed
suse enterprise sap 15 SP5
1.6.34-150000.3.19.1
fixed
suse enterprise sap 15 SP7
1.6.40-150600.3.6.1
fixed
suse enterprise server 15 SP4
1.6.34-150000.3.19.1
fixed
suse enterprise server 15 SP5
1.6.34-150000.3.19.1
fixed
suse enterprise server 15 SP7
1.6.40-150600.3.6.1
fixed
libpng16-devel
suse enterprise desktop 15 SP7
1.6.40-150600.3.6.1
fixed
suse enterprise sap 15 SP4
1.6.34-150000.3.19.1
fixed
suse enterprise sap 15 SP5
1.6.34-150000.3.19.1
fixed
suse enterprise sap 15 SP7
1.6.40-150600.3.6.1
fixed
suse enterprise server 15 SP4
1.6.34-150000.3.19.1
fixed
suse enterprise server 15 SP5
1.6.34-150000.3.19.1
fixed
suse enterprise server 15 SP7
1.6.40-150600.3.6.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
libpng
RHEL 8
2:1.6.34-10.el8_10
fixed
RHEL 8.2 AUS
2:1.6.34-8.el8_2.2
fixed
RHEL 8.4 AUS
2:1.6.34-8.el8_4.2
fixed
RHEL 8.6 AUS
2:1.6.34-8.el8_6.2
fixed
RHEL 8.6 E4S
2:1.6.34-8.el8_6.2
fixed
RHEL 8.6 TUS
2:1.6.34-8.el8_6.2
fixed
RHEL 8.8 E4S
2:1.6.34-8.el8_8.2
fixed
RHEL 8.8 TUS
2:1.6.34-8.el8_8.2
fixed
RHEL 9
2:1.6.37-12.el9_7.2
fixed
libpng-devel
RHEL 8
2:1.6.34-10.el8_10
fixed
RHEL 8.2 AUS
2:1.6.34-8.el8_2.2
fixed
RHEL 8.4 AUS
2:1.6.34-8.el8_4.2
fixed
RHEL 8.6 AUS
2:1.6.34-8.el8_6.2
fixed
RHEL 8.6 E4S
2:1.6.34-8.el8_6.2
fixed
RHEL 8.6 TUS
2:1.6.34-8.el8_6.2
fixed
RHEL 8.8 E4S
2:1.6.34-8.el8_8.2
fixed
RHEL 8.8 TUS
2:1.6.34-8.el8_8.2
fixed
RHEL 9
2:1.6.37-12.el9_7.2
fixed
mingw32-libpng
RHEL 8
0:1.6.34-2.el8_10
fixed
mingw32-libpng-static
RHEL 8
0:1.6.34-2.el8_10
fixed
mingw64-libpng
RHEL 8
0:1.6.34-2.el8_10
fixed
mingw64-libpng-static
RHEL 8
0:1.6.34-2.el8_10
fixed
Common Weakness Enumeration
References
https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8