CVE-2026-22695Out-of-bounds Read in Libpng

CWE-125Out-of-bounds Read12 documents9 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 91.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pnggroup LibpngLibpng
Timeline
PublishedJan 12
Latest updateFeb 12

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages2 packages

NVDlibpng/libpng1.6.511.6.54
CVEListV5pnggroup/libpng< 1.6.54

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
libpng1.6 vulnerabilities2026-02-12
OSV
libpng1.6 vulnerabilities2026-01-14
OSV
CVE-2026-22695: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files2026-01-12
CVEList
LIBPNG has a heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix)2026-01-12

📋Vendor Advisories

5
Ubuntu
libpng vulnerabilities2026-02-12
Ubuntu
libpng vulnerabilities2026-01-14
Microsoft
LIBPNG has a heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix)2026-01-13
Red Hat
libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read2026-01-12
Debian
CVE-2026-22695: libpng1.6 - LIBPNG is a reference library for use in applications that read, create, and man...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-22695 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-22695 libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read2026-01-13