Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAAoVtZwu1t4kjdLnVcSJ5gjOmpb+DW+Q4_pWiLJ+ag4uevwjFA@mail.gmail.com>
Date: Fri, 15 May 2026 22:27:54 +0300
From: Cosmin Truta <ctruta@...il.com>
To: oss-security@...ts.openwall.com
Subject: libpng-apng: Chunk-smuggling vulnerability in push-mode APNG parser: CVE-2026-40930

Hello, everyone,

This is an out-of-band notice. Unlike previous libpng announcements,
this one doesn't coincide with a libpng release, and the disclosure
cadence differs from the usual coordinated pattern:

- The fix landed on the libpng18 development branch (commit
  faf0692468) approximately one month before this announcement.
  libpng 1.8.0 is in late beta with no tagged release yet, so
  there is no upstream release version with which to align the
  disclosure. Downstream consumers building directly from the
  libpng18 branch have had the fix available since it landed.
- The vulnerable code originates in the third-party libpng-apng
  patch, which is not under upstream libpng control. The patch
  is applied downstream by Firefox and Thunderbird, as well as
  several Linux distributions (Gentoo and LFS/BLFS among others).
  The libpng-apng maintainer, Daisuke Nishikawa, has since released
  fixed revisions (libpng-1.6.57-apng.patch v2 and
  libpng-1.6.58-apng.patch); downstream consumers should either
  update to those (verifying that both upstream commits are
  included), or backport the upstream commits themselves (see
  "Related fix" below).

=== CVE-2026-40930 ===

Chunk smuggling in the push-mode APNG parser via unconsumed
chunk body

Security advisory:
https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x

Fix on libpng18:
https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4

CVSS 3.1: 5.4 (Medium); CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CWE: CWE-436 (Interpretation Conflict)
Affected (upstream): libpng 1.8.0 development branch (libpng18)
Affected (downstream): libpng-1.6.49-apng.patch through
  libpng-1.6.57-apng.patch (original v1) on SourceForge
Not affected: upstream libpng 1.6.x releases (no APNG support)
Fixed (upstream): libpng18 at commit faf0692468
Fixed (downstream): libpng-1.6.57-apng.patch v2 and
  libpng-1.6.58-apng.patch on SourceForge, released by the
  libpng-apng maintainer
Build-time mitigation: building libpng 1.8 with APNG disabled
  (i.e., without PNG_APNG_SUPPORTED), or building libpng 1.6
  without the libpng-apng patch, removes the vulnerable code.
  No runtime workaround exists for push-mode applications.

Three inter-frame chunk discard paths in the push-mode APNG parser
clear the chunk-header flag without consuming the chunk body and
CRC, allowing attacker-controlled bytes inside a discarded chunk
to be reinterpreted as a fresh chunk header on the next call to
png_process_data.

Impact depends on the application's CRC handling:

- Default configuration: libpng calls png_error on the resulting
  CRC mismatch or APNG sequence-number violation, and the image
  fails to load. Impact is denial of service.
- Relaxed configuration (png_set_crc_action with PNG_CRC_QUIET_USE
  or PNG_CRC_WARN_USE): smuggled bytes reach the APNG sequence
  counter and the zlib decompressor, and are decoded as frame
  pixel data. No code execution: zlib output writes into a
  pre-allocated row buffer. A crafted fake length exceeding the
  carrier chunk body causes cascading desynchronization beyond
  the carrier.

Sequential-mode reading (png_read_info / png_read_row /
png_read_end) is not affected. Only push-mode (png_process_data)
is vulnerable, and the Gecko-based browsers (for example) use it.

=== Related fix ===

A sibling defect in the same push-mode fdAT path was reported
separately in GitHub issue pnggroup/libpng#854 and fixed on the
libpng18 branch in commit 9ec49c2d56. It is distinct from
CVE-2026-40930 and is not covered by the advisory above.
Downstream consumers of libpng-apng should apply both commits to
fully remediate the push-mode fdAT path. Those updating to the
fixed libpng-apng revisions instead should verify that both commits
are included; otherwise, 9ec49c2d56 must be backported separately.

Related fix on libpng18:
https://github.com/pnggroup/libpng/commit/9ec49c2d56cec19107ddc458b648ce224c9697b3

Credits:
- Seung Min Shin (CVE-2026-40930 discovery)
- Ryo Shimada (GitHub issue pnggroup/libpng#854)

---
Cosmin Truta
libpng maintainer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.