CVE-2026-22695
Heap Buffer Over-read in libpng png_image_finish_read Function
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pnggroup | libpng | 1.6.51 |
| pnggroup | libpng | 1.6.52 |
| pnggroup | libpng | 1.6.53 |
| pnggroup | libpng | 1.6.54 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by causing application crashes due to segmentation faults when negative row strides are used, and by leaking adjacent heap memory contents when padded strides are used. The leaked memory could include sensitive data such as passwords, keys, or other image data. The exploit complexity is low and requires user interaction, such as opening a crafted PNG file. It affects applications using libpng's simplified API with non-default row strides, including image viewers, graphics frameworks, and game engines. [1, 2]
Can you explain this vulnerability to me?
CVE-2026-22695 is a heap buffer over-read vulnerability in the libpng library's simplified API function png_image_read_direct_scaled. It occurs when processing interlaced 16-bit PNG images with an 8-bit output format and a non-minimal row stride (either larger than the actual row width for alignment or negative for bottom-up layouts). The function incorrectly uses the stride value as the size parameter in a memcpy operation instead of the actual row width, causing it to read beyond the allocated buffer. This can lead to reading heap memory out-of-bounds, causing crashes or leaking sensitive data. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying applications that use libpng versions 1.6.51 through 1.6.53 and process interlaced 16-bit PNG images with an 8-bit output format using non-minimal row strides (either padded or negative). Testing can be done by creating a crafted PNG image with 16-bit depth and interlacing, then running the vulnerable application under AddressSanitizer or similar memory error detection tools to observe heap-buffer-overflow reads. Specific commands are not provided, but using AddressSanitizer with the vulnerable application processing such crafted PNGs is recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade libpng to version 1.6.54 or later, where the vulnerability is fixed. The fix changes the memcpy operation to copy only the actual row width bytes instead of the stride, preventing heap buffer over-reads and crashes. Until upgrading, avoid processing interlaced 16-bit PNG images with 8-bit output format using non-minimal (padded or negative) row strides in applications using vulnerable libpng versions. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability can lead to information disclosure through heap buffer over-read, potentially leaking sensitive data such as passwords, keys, or other image data. This leakage of sensitive information could impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive data. Additionally, the vulnerability can cause application crashes, affecting availability. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1, 2]