CVE-2026-22801
Heap Buffer Over-Read in libpng Write API via Invalid Row Stride
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libpng | libpng | From 1.6.26 (inc) to 1.6.53 (inc) |
| libpng | libpng | 1.6.54 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22801 is a vulnerability in libpng versions 1.6.26 through 1.6.53 affecting the simplified write API functions png_write_image_16bit and png_write_image_8bit. It is caused by an integer truncation bug where the row stride value (which can be negative or very large) is cast from a signed type to an unsigned 16-bit integer, causing incorrect pointer arithmetic. This leads to heap buffer over-read or infinite loops when the application provides a negative row stride (used for bottom-up image layouts) or a stride exceeding 65,535 bytes. The bug was introduced to silence compiler warnings on 16-bit systems and was fixed in version 1.6.54 by removing the truncating cast and performing arithmetic on the full signed value. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing information disclosure through heap buffer over-read, potentially exposing adjacent heap memory in the output image. It can also cause denial of service due to infinite loops or crashes when reading unmapped memory. Additionally, it may lead to data corruption by writing incorrect image data, although this is not a direct security impact. The attack requires local access to influence the row stride parameter and has low complexity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying usage of the libpng simplified write API functions (such as png_write_image_16bit, png_write_image_8bit, or png_image_write_to_file) with negative or very large row stride values. Detection involves reviewing application code or binaries for calls to these functions with parameters where the row stride is negative (e.g., for bottom-up image layouts) or exceeds 65535 bytes. Example vulnerable usage includes code snippets like: ptrdiff_t stride = -row_width; // bottom-up layout png_image_write_to_file(&image, "out.png", 0, last_row, stride, NULL); or ptrdiff_t stride = 131072; // very wide 16-bit image png_image_write_to_file(&image, "out.png", 0, buffer, stride, NULL); For testing, running a test program with AddressSanitizer on vulnerable libpng versions (1.6.26 to 1.6.53) can reveal heap buffer over-read or infinite loops. There are no specific network commands since this is a local library vulnerability, but static code analysis or binary scanning for these API calls with problematic stride values is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading libpng to version 1.6.54 or later, where the vulnerability is fixed by removing the truncating cast and correcting pointer arithmetic. If upgrading is not immediately possible, avoid using the simplified write API functions with negative or very large row stride values. Review and modify application code to ensure that row stride parameters are within safe bounds (non-negative and less than or equal to 65535 bytes). Additionally, consider applying patches or backported fixes from libpng 1.6.54 to your current version. Testing with AddressSanitizer can help verify if the vulnerability is still present after mitigation. [1]