Home

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

PUBLISHED Reserved 2026-03-23 | Published 2026-03-26 | Updated 2026-03-26 | Assigner GitHub_M




HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Problem types

CWE-125: Out-of-bounds Read

CWE-787: Out-of-bounds Write

Product status

>= 1.6.36, < 1.6.56
affected

References

github.com/...libpng/security/advisories/GHSA-wjr5-c57x-95m2

github.com/...ommit/7734cda20cf1236aef60f3bbd2267c97bbb40869

github.com/...ommit/aba9f18eba870d14fb52c5ba5d73451349e339c3

cve.org (CVE-2026-33636)

nvd.nist.gov (CVE-2026-33636)

Download JSON