SB2026012370 - openEuler update for libpng

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2026-22695)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or crash the application.

The vulnerability exists due to a boundary condition within the png_image_finish_read() function when reading 16-bit PNG images with 8-bit output format and non-minimal row stride. A remote attacker can supply a specially crafted PNG image file to the application, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.

Note, the vulnerability exists due to an incomplete fix for #VU118777 (CVE-2025-65018).

2) Out-of-bounds read (CVE-ID: CVE-2026-22801)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or crash the application.

The vulnerability exists due to integer truncation within the png_write_image_16bit() and png_write_image_8bit() functions. A remote attacker can supply a specially crafted PNG file to the application, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.

3) Heap-based buffer overflow (CVE-ID: CVE-2025-65018)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the png_image_finish_read() function when processing 16-bit interlaced PNGs with 8-bit output format. A remote attacker can pass a specially crafted image file to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1205