CVE-2026-33636
Out-of-Bounds Read/Write in libpng Neon Palette Expansion
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libpng | libpng | From 1.6.36 (inc) to 1.6.56 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33636 is a vulnerability in the libpng library versions 1.6.36 through 1.6.55 that affects the ARM/AArch64 Neon-optimized palette expansion functions. When decoding 8-bit paletted PNG images, the Neon SIMD code processes image rows in fixed-size chunks but does not properly check if enough pixels remain for the final chunk. Because the code processes pixels backward from the end of the row, the final iteration reads and writes memory outside the valid buffer boundaries (out-of-bounds read and write). This happens due to incorrect loop conditions and pointer adjustments in the functions handling palette expansion to RGB or RGBA formats.
Specifically, the Neon loops iterate over pixel chunks without ensuring the last chunk fits entirely within the row, causing the code to dereference pointers before the start of the row buffer and write expanded pixel data to invalid memory locations. This flaw can be triggered by normal decoding of attacker-controlled PNG images if Neon optimizations are enabled.
The issue was fixed in libpng version 1.6.56 by changing the loop conditions to process only full chunks, removing incorrect pointer adjustments, and ensuring the scalar fallback code receives correctly positioned pointers.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory reads and writes during PNG image decoding on ARM/AArch64 platforms with Neon enabled. The impacts include:
- Low confidentiality impact due to potential leakage of heap contents via out-of-bounds reads controlled by attacker-crafted palette mappings.
- Low integrity impact because out-of-bounds writes can corrupt heap memory.
- High availability impact as heap corruption can cause reliable process crashes, leading to denial of service.
While arbitrary code execution has not been demonstrated, the vulnerability allows attackers to cause crashes and potentially leak sensitive information by supplying malicious PNG images.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in libpng versions 1.6.36 through 1.6.55 when decoding attacker-controlled 8-bit paletted PNG images on ARM/AArch64 systems with Neon optimizations enabled. Detection involves identifying if your system uses a vulnerable libpng version with ARM Neon enabled and if it processes paletted PNG images.
To detect the vulnerability on your system, you can check the libpng version installed and whether it was built with ARM Neon optimizations enabled.
- Check libpng version: `ldconfig -p | grep libpng` or `pngfix --version` if available.
- Check if libpng was built with ARM Neon optimizations (this may require inspecting build flags or package build info).
- Monitor for crashes or heap corruption when processing paletted PNG images, especially those with row widths not multiples of 4 (RGBA) or 8 (RGB).
There are no specific network or system commands provided in the resources to directly detect exploitation attempts or presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps for this vulnerability are to update libpng to version 1.6.56 or later, where the issue is fixed.
If updating is not immediately possible, a workaround is to disable ARM Neon hardware optimizations by compiling libpng with the `-DPNG_ARM_NEON_OPT=0` flag. This forces the use of the generic C code path, which is not vulnerable, though it reduces performance.
- Upgrade libpng to version 1.6.56 or later.
- Rebuild libpng with ARM Neon optimizations disabled using `-DPNG_ARM_NEON_OPT=0`.
Additionally, avoid processing untrusted or attacker-controlled paletted PNG images on vulnerable systems until patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in libpng allows out-of-bounds reads that can leak heap contents via attacker-controlled palette mappings, leading to low confidentiality impact. Such information disclosure could potentially expose sensitive data processed by applications using libpng, which may affect compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal or sensitive information.
Additionally, the out-of-bounds writes cause heap corruption leading to process crashes (high availability impact), which could disrupt services relying on libpng, potentially affecting operational compliance requirements.
However, there is no evidence of arbitrary code execution or high integrity impact, so the risk to data integrity and broader system compromise is lower.
Overall, the vulnerability poses a risk of limited data leakage and service disruption, which organizations must consider when assessing compliance with standards that mandate protection of confidentiality, integrity, and availability of data and services.