CVE-2026-3713
Heap-Based Buffer Overflow in libpng pnm2png Local Exploit
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pnggroup | libpng | to 1.6.55 (inc) |
| pnggroup | libpng | 1.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3713 is a heap-based buffer overflow vulnerability in the pnggroup libpng library, specifically in the function do_pnm2png within the file contrib/pngminus/pnm2png.c. The vulnerability arises from an integer overflow in the calculation of the variable row_bytes, which is based on attacker-controlled width and height values read from a PNM file header.
Although there is a guard condition intended to prevent oversized allocations, it fails when row_bytes wraps around to a small non-zero value due to integer overflow. This causes the program to allocate an undersized buffer on the heap.
Subsequently, the program writes pixel data into this undersized buffer using the original width and channel count, which results in writing more bytes than allocated, causing a heap buffer overflow.
This flaw can be exploited by an attacker who controls the PNM file header values, and a proof-of-concept exploit has been published.
How can this vulnerability impact me? :
This vulnerability can impact the confidentiality, integrity, and availability of the affected system.
Because it is a heap buffer overflow, exploitation could lead to arbitrary code execution, crashes, or other unpredictable behavior within applications using the vulnerable libpng versions.
However, exploitation requires local access to the system, as the attack is restricted to local execution.
The availability of a public proof-of-concept exploit makes it easier for attackers to leverage this vulnerability.
No known countermeasures or patches have been provided yet, so affected users should consider alternative products or mitigations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from processing malicious PNM files with crafted width and height values causing a heap buffer overflow in the do_pnm2png() function of libpng. Detection involves identifying attempts to process suspicious or malformed PNM files locally, as the attack requires local execution.
One practical detection method is to run the vulnerable pnm2png utility with AddressSanitizer (ASAN) enabled, which can detect heap buffer overflows during execution. Using a proof-of-concept malicious PNM file triggers the overflow and ASAN reports the error.
Example command to test with ASAN (assuming you have a vulnerable build of pnm2png with ASAN instrumentation):
- ASAN_OPTIONS=detect_leaks=0 ./pnm2png poc_intovf_pnm2png.pnm
Monitoring system logs or application crash reports for heap buffer overflow errors related to pnm2png or libpng can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable pnm2png utility or libpng versions up to 1.6.55 for processing untrusted PNM files, as exploitation requires local access and processing of malicious files.
Since no official patch or response has been provided yet, consider the following actions:
- Restrict local access to systems running vulnerable libpng versions to trusted users only.
- Avoid processing untrusted or suspicious PNM files with the vulnerable pnm2png tool.
- Consider using alternative image processing tools or libraries that are not affected by this vulnerability.
- Monitor for updates or patches from the libpng project and apply them as soon as they become available.