Impact Analysis

This vulnerability can impact you by causing application crashes due to segmentation faults when negative row strides are used, and by leaking adjacent heap memory contents when padded strides are used. The leaked memory could include sensitive data such as passwords, keys, or other image data. The exploit complexity is low and requires user interaction, such as opening a crafted PNG file. It affects applications using libpng's simplified API with non-default row strides, including image viewers, graphics frameworks, and game engines. [1, 2]

Useful 0 Not Useful 0

Executive Summary

CVE-2026-22695 is a heap buffer over-read vulnerability in the libpng library's simplified API function png_image_read_direct_scaled. It occurs when processing interlaced 16-bit PNG images with an 8-bit output format and a non-minimal row stride (either larger than the actual row width for alignment or negative for bottom-up layouts). The function incorrectly uses the stride value as the size parameter in a memcpy operation instead of the actual row width, causing it to read beyond the allocated buffer. This can lead to reading heap memory out-of-bounds, causing crashes or leaking sensitive data. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying applications that use libpng versions 1.6.51 through 1.6.53 and process interlaced 16-bit PNG images with an 8-bit output format using non-minimal row strides (either padded or negative). Testing can be done by creating a crafted PNG image with 16-bit depth and interlacing, then running the vulnerable application under AddressSanitizer or similar memory error detection tools to observe heap-buffer-overflow reads. Specific commands are not provided, but using AddressSanitizer with the vulnerable application processing such crafted PNGs is recommended. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade libpng to version 1.6.54 or later, where the vulnerability is fixed. The fix changes the memcpy operation to copy only the actual row width bytes instead of the stride, preventing heap buffer over-reads and crashes. Until upgrading, avoid processing interlaced 16-bit PNG images with 8-bit output format using non-minimal (padded or negative) row strides in applications using vulnerable libpng versions. [2, 3]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability can lead to information disclosure through heap buffer over-read, potentially leaking sensitive data such as passwords, keys, or other image data. This leakage of sensitive information could impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive data. Additionally, the vulnerability can cause application crashes, affecting availability. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1, 2]

Useful 0 Not Useful 0