CVE-2026-3713
Received Received - Intake
Heap-Based Buffer Overflow in libpng pnm2png Local Exploit

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3713
EUVD
EUVD-2026-10219
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pnggroup libpng to 1.6.55 (inc)
pnggroup libpng 1.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3713 is a heap-based buffer overflow vulnerability in the pnggroup libpng library, specifically in the function do_pnm2png within the file contrib/pngminus/pnm2png.c. The vulnerability arises from an integer overflow in the calculation of the variable row_bytes, which is based on attacker-controlled width and height values read from a PNM file header.

Although there is a guard condition intended to prevent oversized allocations, it fails when row_bytes wraps around to a small non-zero value due to integer overflow. This causes the program to allocate an undersized buffer on the heap.

Subsequently, the program writes pixel data into this undersized buffer using the original width and channel count, which results in writing more bytes than allocated, causing a heap buffer overflow.

This flaw can be exploited by an attacker who controls the PNM file header values, and a proof-of-concept exploit has been published.

Impact Analysis

This vulnerability can impact the confidentiality, integrity, and availability of the affected system.

Because it is a heap buffer overflow, exploitation could lead to arbitrary code execution, crashes, or other unpredictable behavior within applications using the vulnerable libpng versions.

However, exploitation requires local access to the system, as the attack is restricted to local execution.

The availability of a public proof-of-concept exploit makes it easier for attackers to leverage this vulnerability.

No known countermeasures or patches have been provided yet, so affected users should consider alternative products or mitigations.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from processing malicious PNM files with crafted width and height values causing a heap buffer overflow in the do_pnm2png() function of libpng. Detection involves identifying attempts to process suspicious or malformed PNM files locally, as the attack requires local execution.

One practical detection method is to run the vulnerable pnm2png utility with AddressSanitizer (ASAN) enabled, which can detect heap buffer overflows during execution. Using a proof-of-concept malicious PNM file triggers the overflow and ASAN reports the error.

Example command to test with ASAN (assuming you have a vulnerable build of pnm2png with ASAN instrumentation):

  • ASAN_OPTIONS=detect_leaks=0 ./pnm2png poc_intovf_pnm2png.pnm

Monitoring system logs or application crash reports for heap buffer overflow errors related to pnm2png or libpng can also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable pnm2png utility or libpng versions up to 1.6.55 for processing untrusted PNM files, as exploitation requires local access and processing of malicious files.

Since no official patch or response has been provided yet, consider the following actions:

  • Restrict local access to systems running vulnerable libpng versions to trusted users only.
  • Avoid processing untrusted or suspicious PNM files with the vulnerable pnm2png tool.
  • Consider using alternative image processing tools or libraries that are not affected by this vulnerability.
  • Monitor for updates or patches from the libpng project and apply them as soon as they become available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart