CVE-2026-33636

{"id": "CVE-2026-33636", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T17:16:41.477", "references": [{"url": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2", "tags": ["Vendor Advisory", "Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue."}, {"lang": "es", "value": "LIBPNG es una biblioteca de referencia para uso en aplicaciones que leen, crean y manipulan archivos de imagen r\u00e1ster PNG (Portable Network Graphics). En las versiones 1.6.36 a 1.6.55, existe una lectura y escritura fuera de l\u00edmites en la ruta de expansi\u00f3n de paleta optimizada para Neon de ARM/AArch64 de libpng. Al expandir filas paletizadas de 8 bits a RGB o RGBA, el bucle Neon procesa un fragmento parcial final sin verificar que queden suficientes p\u00edxeles de entrada. Debido a que la implementaci\u00f3n funciona hacia atr\u00e1s desde el final de la fila, la iteraci\u00f3n final desreferencia punteros antes del inicio del b\u00fafer de fila (lectura OOB) y escribe datos de p\u00edxeles expandidos en las mismas posiciones de desbordamiento inferior (escritura OOB). Esto es alcanzable a trav\u00e9s de la decodificaci\u00f3n normal de entrada PNG controlada por el atacante si Neon est\u00e1 habilitado. La versi\u00f3n 1.6.56 corrige el problema."}], "lastModified": "2026-04-02T18:42:02.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF5DCAF0-FA3A-48A5-857E-C3D960A27025", "versionEndExcluding": "1.6.56", "versionStartIncluding": "1.6.36"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}