CVE-2026-22801
Unknown Unknown - Not Provided
Heap Buffer Over-Read in libpng Write API via Invalid Row Stride

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: GitHub, Inc.

Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22801
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
libpng libpng From 1.6.26 (inc) to 1.6.53 (inc)
libpng libpng 1.6.54
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22801 is a vulnerability in libpng versions 1.6.26 through 1.6.53 affecting the simplified write API functions png_write_image_16bit and png_write_image_8bit. It is caused by an integer truncation bug where the row stride value (which can be negative or very large) is cast from a signed type to an unsigned 16-bit integer, causing incorrect pointer arithmetic. This leads to heap buffer over-read or infinite loops when the application provides a negative row stride (used for bottom-up image layouts) or a stride exceeding 65,535 bytes. The bug was introduced to silence compiler warnings on 16-bit systems and was fixed in version 1.6.54 by removing the truncating cast and performing arithmetic on the full signed value. [1]

Impact Analysis

This vulnerability can impact you by causing information disclosure through heap buffer over-read, potentially exposing adjacent heap memory in the output image. It can also cause denial of service due to infinite loops or crashes when reading unmapped memory. Additionally, it may lead to data corruption by writing incorrect image data, although this is not a direct security impact. The attack requires local access to influence the row stride parameter and has low complexity. [1]

Detection Guidance

This vulnerability can be detected by identifying usage of the libpng simplified write API functions (such as png_write_image_16bit, png_write_image_8bit, or png_image_write_to_file) with negative or very large row stride values. Detection involves reviewing application code or binaries for calls to these functions with parameters where the row stride is negative (e.g., for bottom-up image layouts) or exceeds 65535 bytes. Example vulnerable usage includes code snippets like: ptrdiff_t stride = -row_width; // bottom-up layout png_image_write_to_file(&image, "out.png", 0, last_row, stride, NULL); or ptrdiff_t stride = 131072; // very wide 16-bit image png_image_write_to_file(&image, "out.png", 0, buffer, stride, NULL); For testing, running a test program with AddressSanitizer on vulnerable libpng versions (1.6.26 to 1.6.53) can reveal heap buffer over-read or infinite loops. There are no specific network commands since this is a local library vulnerability, but static code analysis or binary scanning for these API calls with problematic stride values is recommended. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading libpng to version 1.6.54 or later, where the vulnerability is fixed by removing the truncating cast and correcting pointer arithmetic. If upgrading is not immediately possible, avoid using the simplified write API functions with negative or very large row stride values. Review and modify application code to ensure that row stride parameters are within safe bounds (non-negative and less than or equal to 65535 bytes). Additionally, consider applying patches or backported fixes from libpng 1.6.54 to your current version. Testing with AddressSanitizer can help verify if the vulnerability is still present after mitigation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart