Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAAoVtZwZkg3vN3MOdFxXA4JLqpZVTcmmtbwccXbkSAEEMiCSAA@mail.gmail.com>
Date: Tue, 13 Jan 2026 01:09:01 +0200
From: Cosmin Truta <ctruta@...il.com>
To: oss-security@...ts.openwall.com
Subject: libpng 1.6.54: two heap buffer over-read vulnerabilities fixed:
 CVE-2026-22695, CVE-2026-22801

Hello, everyone,

libpng 1.6.54 has been released, fixing two medium-severity heap buffer
over-read vulnerabilities in the simplified API.

=== CVE-2026-22695 ===

Heap buffer over-read in png_image_read_direct_scaled
(regression from CVE-2025-65018 fix)

Security advisory:
https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp
Remediation commit: https://github.com/pnggroup/libpng/commit/e4f7ad4ea2

CVSS 3.1: 6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
CWE: CWE-125 (Out-of-bounds Read)
Affected: libpng 1.6.51 through 1.6.53
Fixed: libpng 1.6.54

This is a regression introduced by the fix for CVE-2025-65018.
When processing interlaced 16-bit PNGs with 8-bit output format and
non-minimal row stride, the png_image_read_direct_scaled() function
used the caller's stride instead of the actual row width for memcpy,
causing a heap buffer over-read.

Impact:
- Information disclosure (low): over-read may expose adjacent heap data
- Denial of service (high): negative stride causes deterministic crash

Applications using the default stride
(row_stride = 0 or row_stride = PNG_IMAGE_ROW_STRIDE(image))
are NOT affected.

Credit: Petr Simecek, Stanislav Fort and Pavel Kohout (discovery),
Petr Simecek (fix)

=== CVE-2026-22801 ===

Integer truncation causing heap buffer over-read in png_image_write_*

Security advisory:
https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
Remediation commit: https://github.com/pnggroup/libpng/commit/cf155de014

CVSS 3.1: 6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: CWE-125 (Out-of-bounds Read), CWE-190 (Integer Overflow or Wraparound)
Affected: libpng 1.6.26 through 1.6.53
Fixed: libpng 1.6.54

The simplified write API functions png_write_image_16bit and
png_write_image_8bit cast ptrdiff_t row_bytes to png_uint_16 before
pointer arithmetic. This truncation causes heap buffer over-read when
the caller provides a negative row stride (for bottom-up layouts) or a
stride exceeding 65535 bytes.

Impact:
- Information disclosure (low): over-read may expose heap data in output
- Denial of service (high): infinite loop or crash from reading unmapped
  memory

Applications using default stride with images narrower than 65535 bytes
per row and top-down layout are NOT affected.

Credit: Cosmin Truta (discovery and fix)

=== References ===

- GitHub Issue (CVE-2026-22695): https://github.com/pnggroup/libpng/issues/778
- libpng homepage: http://www.libpng.org/pub/png/libpng.html

---
Cosmin Truta
libpng maintainer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.