Executive Summary

CVE-2026-40930 is a vulnerability in the libpng library's push-mode APNG parser that allows attacker-controlled bytes inside ignored ancillary chunks to be misinterpreted as new chunk headers. This happens because three inter-frame chunk discard paths clear the chunk-header flag without consuming the chunk body and CRC, enabling a form of 'chunk smuggling'.

This vulnerability affects applications using libpng in push mode (such as Gecko-based browsers) and can cause denial of service or data desynchronization. It does not affect sequential-mode reading. The issue was fixed by ensuring the chunk body and CRC are properly consumed before clearing flags.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to denial of service by causing fatal parse errors when smuggled data triggers CRC mismatches or sequence violations, resulting in images failing to load.

In configurations where CRC error handling is relaxed, attacker-controlled bytes may be processed as frame pixel data, potentially altering the rendered image without executing arbitrary code.

Additionally, a maliciously crafted chunk length could cause desynchronization beyond chunk boundaries, potentially leading to data corruption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from specially crafted PNG files that exploit the push-mode APNG parser in libpng. Detection involves identifying if your system or applications use vulnerable versions of libpng with the APNG patch in push mode.

Since the vulnerability is triggered by malicious PNG files, network detection can focus on monitoring for suspicious PNG files being downloaded or opened.

You can check the libpng version and patch status on your system to determine if it is vulnerable.

• Check libpng version: `ldd --version` or `pkg-config --modversion libpng` or `pngfix --version` if available.
• Search for the presence of the APNG patch or libpng 1.8.0 (which includes the patch) in your installed packages.
• Monitor network traffic for PNG files and analyze them with tools that can parse PNG chunks to detect anomalies or unexpected chunk headers.
• Use file inspection commands like `file suspicious.png` and PNG analysis tools or scripts to inspect chunk headers and CRC values.

No specific detection commands for the vulnerability itself are provided, but verifying the libpng version and patch status combined with monitoring PNG files for suspicious chunk structures is recommended.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the available fixes or disabling the vulnerable feature.

• Upgrade libpng to a fixed version: apply commit faf0692468 for libpng 1.8.0 or the downstream patches libpng-1.6.58-apng.patch or later for libpng 1.6.x with the APNG patch.
• If upgrading is not immediately possible, rebuild libpng with APNG support disabled to prevent the vulnerable push-mode APNG parser from being used.
• Avoid opening untrusted PNG files in applications that use the vulnerable libpng push-mode APNG parser.

No runtime workaround exists, so patching or disabling APNG support at build time is necessary to mitigate the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-40930 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0