Main Vulnerability Database Vulnerabilities #VU125600

#VU125600 Out-of-bounds read in libpng - CVE-2026-33636

Published: April 9, 2026

Vulnerability identifier: #VU125600

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33636

CWE-ID: CWE-125

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
libpng

Software vendor:
libpng

Description

The vulnerability allows a remote attacker to cause a denial of service, disclose sensitive information, and corrupt memory.

The vulnerability exists due to out-of-bounds read and out-of-bounds write in the ARM/AArch64 Neon palette expansion path when decoding a crafted paletted PNG image with palette expansion enabled. A remote attacker can supply a specially crafted PNG image to cause a denial of service, disclose sensitive information, and corrupt memory.

Only builds targeting ARM/AArch64 with Neon enabled are affected. The issue is triggered for palette-based images during palette expansion, with the RGBA path requiring a tRNS chunk and the RGB path requiring no tRNS chunk. User interaction is required to open or process the crafted image.

Remediation

Install security update from vendor's website.

External links

https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

#VU125600 Out-of-bounds read in libpng - CVE-2026-33636

Description

Remediation

External links

Please verify you're human