Main Vulnerability Database Vulnerabilities #VU125600

Out-of-bounds read in libpng - CVE-2026-33636

Published: April 9, 2026

Vulnerability identifier: #VU125600

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33636

CWE-ID: CWE-125

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: libpng

Affected software:
libpng

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service, disclose sensitive information, and corrupt memory.

The vulnerability exists due to out-of-bounds read and out-of-bounds write in the ARM/AArch64 Neon palette expansion path when decoding a crafted paletted PNG image with palette expansion enabled. A remote attacker can supply a specially crafted PNG image to cause a denial of service, disclose sensitive information, and corrupt memory.

Only builds targeting ARM/AArch64 with Neon enabled are affected. The issue is triggered for palette-based images during palette expansion, with the RGBA path requiring a tRNS chunk and the RGB path requiring no tRNS chunk. User interaction is required to open or process the crafted image.

How to mitigate CVE-2026-33636

Install security update from vendor's website.

Sources

https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

Out-of-bounds read in libpng - CVE-2026-33636

Detailed vulnerability description

How to mitigate CVE-2026-33636

Sources

Please verify you're human