CVE-2026-22801

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.5 / Impact : 4.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*

History

21 Jan 2026, 18:58

Type	Values Removed	Values Added
CPE		cpe:2.3:a:libpng:libpng::::::::
First Time		Libpng Libpng libpng
References	~~() https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 -~~	() https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 - Third Party Advisory

12 Jan 2026, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-12 23:15

Updated : 2026-01-21 18:58

NVD link : CVE-2026-22801

Mitre link : CVE-2026-22801

CVE.ORG link : CVE-2026-22801

JSON object : View

Products Affected

libpng

libpng

CWE

CWE-125

Out-of-bounds Read

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2026-22801", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-01-12T23:15:52.907", "references": [{"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-190"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54."}], "lastModified": "2026-01-21T18:58:18.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E5664F6-3EA2-4459-8380-BEB9937EFBE1", "versionEndExcluding": "1.6.54", "versionStartIncluding": "1.6.26"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}