MidnightBSD

Advisories for libpng

CVE-2004-0421 MEDIUM

The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
libpng libpng 1.0.14
trustix secure_linux 2.1
openpkg openpkg 1.3
trustix secure_linux 2.0
libpng libpng 1.0.11
libpng libpng 1.2.0
libpng libpng 1.2.2
libpng libpng 1.0.13
libpng libpng 1.2.5
redhat enterprise_linux 2.1
libpng libpng 1.0.6
libpng libpng 1.0.10
libpng libpng 1.0.7
libpng libpng 1.0.0
libpng libpng 1.0.12
libpng libpng 1.0.5
openpkg openpkg 2.0
libpng libpng 1.0.9
libpng libpng 1.0.8
redhat enterprise_linux_desktop 3.0
redhat libpng 1.2.2-20
libpng libpng 1.2.1
libpng libpng 1.2.4
redhat enterprise_linux 3.0
libpng libpng 1.2.3
redhat libpng 1.2.2-16
CVE-2006-7244 MEDIUM

Memory leak in pngwutil.c in libpng 1.2.13beta1, and other versions before 1.2.15beta3, allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
libpng libpng 1.0.11
libpng libpng 1.0.30
libpng libpng 1.0.26
libpng libpng 1.0.13
libpng libpng 1.0.40
libpng libpng 1.2.10
libpng libpng 1.0.19
libpng libpng 1.0.0
libpng libpng 1.0.3
libpng libpng 1.0.41
libpng libpng 1.0.45
libpng libpng 1.0.22
libpng libpng 1.0.5
libpng libpng 1.0.15
libpng libpng 1.0.27
libpng libpng 1.0.20
libpng libpng 1.0.32
libpng libpng 1.0.51
libpng libpng 1.0.8
libpng libpng 1.0.39
libpng libpng 1.0.25
libpng libpng 1.0.46
libpng libpng 1.0.2
libpng libpng 1.0.28
libpng libpng 1.0.37
libpng libpng 1.0.47
libpng libpng 1.0.43
libpng libpng 1.2.14
libpng libpng 1.0.14
libpng libpng 1.0.24
libpng libpng 1.0.44
libpng libpng *
libpng libpng 1.0.18
libpng libpng 1.2.0
libpng libpng 1.0.17
libpng libpng 1.0.16
libpng libpng 1.0.48
libpng libpng 1.0.23
libpng libpng 1.2.15
libpng libpng 1.0.6
libpng libpng 1.0.29
libpng libpng 1.0.10
libpng libpng 1.0.38
libpng libpng 1.0.42
libpng libpng 1.0.7
libpng libpng 1.0.12
libpng libpng 1.2.11
libpng libpng 1.0.9
libpng libpng 1.0.1
libpng libpng 1.0.31
libpng libpng 1.0.50
libpng libpng 1.2.1
libpng libpng 1.2.13
libpng libpng 1.0.52
libpng libpng 1.0.54
libpng libpng 1.0.21
libpng libpng 1.0.53
libpng libpng 1.0.34
libpng libpng 1.0.35
libpng libpng 1.0.33
CVE-2009-0040 MEDIUM

The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-824,

Products Affected

Vendor Product Version
opensuse opensuse 11.1
fedoraproject fedora 10
suse linux_enterprise 10.0
debian debian_linux 4.0
opensuse opensuse 11.0
suse linux_enterprise_desktop 10
libpng libpng *
opensuse opensuse 10.3
debian debian_linux 5.0
apple iphone_os *
fedoraproject fedora 9
suse linux_enterprise_server 10
apple mac_os_x *
suse linux_enterprise 9.0
CVE-2009-5063 MEDIUM

Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length. NOTE: this is due to an incomplete fix for CVE-2006-7244.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
libpng libpng *
libpng libpng 1.2.39
CVE-2010-0205 MEDIUM

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
opensuse opensuse 11.1
suse linux_enterprise_server 9
opensuse opensuse 11.0
suse linux_enterprise_server 11
fedoraproject fedora 11
canonical ubuntu_linux 9.10
libpng libpng *
opensuse opensuse 11.2
fedoraproject fedora 13
canonical ubuntu_linux 8.10
canonical ubuntu_linux 9.04
canonical ubuntu_linux 6.06
debian debian_linux 6.0
debian debian_linux 5.0
canonical ubuntu_linux 8.04
fedoraproject fedora 12
suse linux_enterprise_server 10
apple mac_os_x *
CVE-2010-1205 HIGH

Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
mozilla seamonkey *
suse linux_enterprise_server 11
canonical ubuntu_linux 9.10
libpng libpng *
opensuse opensuse 11.2
canonical ubuntu_linux 9.04
mozilla firefox *
canonical ubuntu_linux 6.06
apple mac_os_x_server *
apple iphone_os *
fedoraproject fedora 12
apple mac_os_x *
canonical ubuntu_linux 10.04
mozilla thunderbird *
opensuse opensuse 11.1
suse linux_enterprise_server 9
google chrome *
apple safari *
vmware player *
fedoraproject fedora 13
debian debian_linux 5.0
canonical ubuntu_linux 8.04
suse linux_enterprise_server 10
vmware workstation *
apple itunes *
CVE-2010-2249 MEDIUM

Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
opensuse opensuse 11.1
suse linux_enterprise_server 9
suse linux_enterprise_server 11
apple safari *
canonical ubuntu_linux 9.10
libpng libpng *
opensuse opensuse 11.2
vmware player *
fedoraproject fedora 13
apple tvos *
canonical ubuntu_linux 9.04
canonical ubuntu_linux 6.06
debian debian_linux 5.0
apple iphone_os *
canonical ubuntu_linux 8.04
fedoraproject fedora 12
suse linux_enterprise_server 10
vmware workstation *
canonical ubuntu_linux 10.04
apple itunes *
CVE-2011-0408 MEDIUM

pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libpng libpng 1.5.0
CVE-2011-2501 MEDIUM

The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 11.04
fedoraproject fedora 14
debian debian_linux 6.0
debian debian_linux 5.0
canonical ubuntu_linux 8.04
libpng libpng *
canonical ubuntu_linux 10.10
canonical ubuntu_linux 10.04
CVE-2011-2690 MEDIUM

Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
canonical ubuntu_linux 11.04
fedoraproject fedora 14
debian debian_linux 6.0
debian debian_linux 5.0
canonical ubuntu_linux 8.04
libpng libpng *
canonical ubuntu_linux 10.10
canonical ubuntu_linux 10.04
CVE-2011-2691 MEDIUM

The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 14
debian debian_linux 6.0
debian debian_linux 5.0
libpng libpng *
CVE-2011-2692 MEDIUM

The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 11.04
fedoraproject fedora 14
debian debian_linux 6.0
debian debian_linux 5.0
canonical ubuntu_linux 8.04
libpng libpng *
canonical ubuntu_linux 10.10
canonical ubuntu_linux 10.04
CVE-2011-3045 MEDIUM

Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-195,

Products Affected

Vendor Product Version
google chrome *
opensuse opensuse 12.1
redhat enterprise_linux 6.0
libpng libpng *
fedoraproject fedora 17
redhat gluster_storage 2.0
redhat enterprise_linux 5.0
redhat enterprise_linux_workstation 5.0
fedoraproject fedora 15
redhat enterprise_linux_workstation 6.0
redhat storage 2.0
debian debian_linux 6.0
redhat enterprise_linux_server_eus 6.2
redhat storage_for_public_cloud 2.0
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 16
redhat enterprise_linux_desktop 5.0
redhat enterprise_linux_server_aus 6.2
CVE-2011-3048 MEDIUM

The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libpng libpng 1.2.47
libpng libpng 1.0.11
libpng libpng 1.2.16
libpng libpng 1.2.48
libpng libpng 1.2.12
libpng libpng 1.0.13
libpng libpng 1.2.5
libpng libpng 1.0.40
libpng libpng 1.2.36
libpng libpng 1.2.33
libpng libpng 1.5.9
libpng libpng 1.0.0
libpng libpng 1.0.3
libpng libpng 1.0.41
libpng libpng 1.0.15
libpng libpng 1.2.18
libpng libpng 1.2.41
libpng libpng 1.0.27
libpng libpng 1.0.32
libpng libpng 1.0.51
libpng libpng 1.2.24
libpng libpng 1.5.5
libpng libpng 1.0.46
libpng libpng 1.5.1
libpng libpng 1.0.2
libpng libpng 1.0.28
libpng libpng 1.4.3
libpng libpng 1.4.6
libpng libpng 1.2.9
libpng libpng 1.4.1
libpng libpng 1.0.24
libpng libpng 1.0.44
libpng libpng 1.2.32
libpng libpng 1.4.4
libpng libpng 1.2.23
libpng libpng 1.5.8
libpng libpng 1.0.48
libpng libpng 1.2.42
libpng libpng 1.4.10
libpng libpng 1.2.15
libpng libpng 1.2.29
libpng libpng 1.0.38
libpng libpng 1.4.7
libpng libpng 1.0.7
libpng libpng 1.0.12
libpng libpng 1.0.55
libpng libpng 1.0.31
libpng libpng 1.0.50
libpng libpng 1.2.39
libpng libpng 1.4.0
libpng libpng 1.2.4
libpng libpng 1.2.27
libpng libpng 1.4.8
libpng libpng 1.2.31
libpng libpng 1.2.13
libpng libpng 1.0.52
libpng libpng 1.0.54
libpng libpng 1.2.7
libpng libpng 1.0.21
libpng libpng 1.0.53
libpng libpng 1.5.0
libpng libpng 1.0.34
libpng libpng 1.2.21
libpng libpng 1.0.35
libpng libpng 1.2.3
libpng libpng 1.5.6
libpng libpng 1.0.33
libpng libpng 1.2.43
libpng libpng 1.5.2
libpng libpng 1.0.30
libpng libpng 1.5.4
libpng libpng 1.0.26
libpng libpng 1.0.56
libpng libpng 1.2.2
libpng libpng 1.5.7
libpng libpng 1.2.10
libpng libpng 1.2.28
libpng libpng 1.0.19
libpng libpng 1.2.37
libpng libpng 1.2.35
libpng libpng 1.0.45
libpng libpng 1.0.22
libpng libpng 1.0.5
libpng libpng 1.2.45
libpng libpng 1.0.20
libpng libpng 1.2.46
libpng libpng 1.2.20
libpng libpng 1.2.30
libpng libpng 1.0.8
libpng libpng 1.0.39
libpng libpng 1.0.25
libpng libpng 1.2.8
libpng libpng 1.0.37
libpng libpng 1.2.44
libpng libpng 1.0.47
libpng libpng 1.2.6
libpng libpng 1.2.22
libpng libpng 1.0.43
libpng libpng 1.4.5
libpng libpng 1.2.14
libpng libpng 1.2.25
libpng libpng 1.0.14
libpng libpng 1.0.58
libpng libpng 1.5.3
libpng libpng 1.0.18
libpng libpng 1.2.0
libpng libpng 1.0.17
libpng libpng 1.2.26
libpng libpng 1.0.16
libpng libpng 1.2.17
libpng libpng 1.0.23
libpng libpng 1.0.6
libpng libpng 1.0.29
libpng libpng 1.0.10
libpng libpng 1.0.42
libpng libpng 1.2.19
libpng libpng 1.2.11
libpng libpng 1.0.9
libpng libpng 1.0.1
libpng libpng 1.4.9
libpng libpng 1.2.1
libpng libpng 1.2.38
libpng libpng 1.2.40
libpng libpng 1.5.10
libpng libpng 1.2.34
libpng libpng 1.0.57
libpng libpng 1.4.2
CVE-2012-3425 MEDIUM

The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libpng libpng 1.2.47
canonical ubuntu_linux 15.10
libpng libpng 1.0.11
libpng libpng 1.2.16
libpng libpng 1.2.48
libpng libpng 1.2.12
libpng libpng 1.0.13
libpng libpng 1.2.5
canonical ubuntu_linux 15.04
libpng libpng 1.0.40
libpng libpng 1.2.36
debian debian_linux 6.0
libpng libpng 1.2.33
libpng libpng 1.5.9
libpng libpng 1.0.0
libpng libpng 1.0.3
libpng libpng 1.0.41
libpng libpng 1.0.15
libpng libpng 1.2.18
libpng libpng 1.2.41
libpng libpng 1.0.27
libpng libpng 1.0.32
libpng libpng 1.0.51
libpng libpng 1.2.24
libpng libpng 1.5.5
libpng libpng 1.0.46
libpng libpng 1.5.1
libpng libpng 1.0.2
libpng libpng 1.0.28
libpng libpng 1.4.3
libpng libpng 1.4.6
libpng libpng 1.2.9
libpng libpng 1.4.1
redhat libpng 1.2.2-16
libpng libpng 1.0.24
libpng libpng 1.0.44
libpng libpng 1.2.32
libpng libpng 1.4.4
libpng libpng 1.2.23
libpng libpng 1.5.8
libpng libpng 1.0.48
libpng libpng 1.2.42
libpng libpng 1.2.15
canonical ubuntu_linux 14.04
libpng libpng 1.2.29
libpng libpng 1.0.38
libpng libpng 1.4.7
libpng libpng 1.0.7
libpng libpng 1.0.12
libpng libpng 1.0.55
libpng libpng 1.0.31
libpng libpng 1.0.50
libpng libpng 1.2.39
libpng libpng 1.4.0
libpng libpng 1.2.4
libpng libpng 1.2.27
libpng libpng 1.4.8
libpng libpng 1.2.31
libpng libpng 1.2.13
libpng libpng 1.0.52
libpng libpng 1.0.54
libpng libpng 1.2.7
libpng libpng 1.0.21
libpng libpng 1.0.53
libpng libpng 1.5.0
libpng libpng 1.0.34
libpng libpng 1.2.21
libpng libpng 1.0.35
libpng libpng 1.2.3
libpng libpng 1.5.6
libpng libpng 1.0.33
libpng libpng 1.2.43
libpng libpng 1.5.2
opensuse opensuse 11.4
libpng libpng 1.0.30
libpng libpng 1.5.4
libpng libpng 1.0.26
libpng libpng 1.0.56
libpng libpng 1.2.2
libpng libpng 1.5.7
libpng libpng 1.2.10
libpng libpng 1.2.28
libpng libpng 1.0.19
libpng libpng 1.2.37
libpng libpng 1.2.35
libpng libpng 1.0.45
libpng libpng 1.0.22
libpng libpng 1.0.5
libpng libpng 1.2.45
opensuse opensuse 12.1
libpng libpng 1.0.20
libpng libpng 1.2.46
libpng libpng 1.2.20
libpng libpng 1.2.30
libpng libpng 1.0.8
libpng libpng 1.0.39
canonical ubuntu_linux 12.04
redhat libpng 1.2.2-20
libpng libpng 1.0.25
libpng libpng 1.2.8
libpng libpng 1.0.37
libpng libpng 1.2.44
libpng libpng 1.0.47
libpng libpng 1.2.6
libpng libpng 1.2.22
libpng libpng 1.0.43
libpng libpng 1.4.5
libpng libpng 1.2.14
libpng libpng 1.2.25
libpng libpng 1.0.14
libpng libpng 1.5.3
libpng libpng 1.0.18
libpng libpng 1.2.0
libpng libpng 1.0.17
libpng libpng 1.2.26
libpng libpng 1.0.16
libpng libpng 1.2.17
libpng libpng 1.0.23
libpng libpng 1.0.6
libpng libpng 1.0.29
libpng libpng 1.0.10
libpng libpng 1.0.42
libpng libpng 1.2.19
libpng libpng 1.2.11
libpng libpng 1.0.9
libpng libpng 1.0.1
libpng libpng 1.4.9
libpng libpng 1.2.1
libpng libpng 1.2.38
libpng libpng 1.2.40
libpng libpng 1.5.10
libpng libpng 1.2.34
libpng libpng 1.0.57
libpng libpng 1.4.2
CVE-2013-6954 MEDIUM

The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,CWE-476,

Products Affected

Vendor Product Version
libpng libpng 1.6.6
libpng libpng 1.6.4
libpng libpng 1.6.5
libpng libpng 1.6.7
libpng libpng *
libpng libpng 1.6.1
libpng libpng 1.6.2
libpng libpng 1.6.0
libpng libpng 1.6.3
CVE-2013-7353 MEDIUM

Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,CWE-122,CWE-190,

Products Affected

Vendor Product Version
libpng libpng 1.5.2
libpng libpng *
libpng libpng 1.5.3
libpng libpng 1.5.11
libpng libpng 1.5.4
libpng libpng 1.5.5
libpng libpng 1.5.1
libpng libpng 1.5.7
libpng libpng 1.5.8
libpng libpng 1.5.13
libpng libpng 1.5.12
libpng libpng 1.5.0
libpng libpng 1.5.9
libpng libpng 1.5.10
libpng libpng 1.5.6
CVE-2013-7354 MEDIUM

Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,CWE-122,CWE-190,

Products Affected

Vendor Product Version
libpng libpng 1.5.2
libpng libpng *
libpng libpng 1.5.3
libpng libpng 1.5.11
libpng libpng 1.5.4
libpng libpng 1.5.5
libpng libpng 1.5.1
libpng libpng 1.5.7
libpng libpng 1.5.8
libpng libpng 1.5.13
libpng libpng 1.5.12
libpng libpng 1.5.0
libpng libpng 1.5.9
libpng libpng 1.5.10
libpng libpng 1.5.6
CVE-2014-0333 MEDIUM

The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
libpng libpng 1.6.6
libpng libpng 1.6.9
libpng libpng 1.6.4
libpng libpng 1.6.5
libpng libpng 1.6.7
libpng libpng 1.6.1
libpng libpng 1.6.8
libpng libpng 1.6.2
libpng libpng 1.6.0
libpng libpng 1.6.3
CVE-2014-9495 HIGH

Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-122,

Products Affected

Vendor Product Version
libpng libpng 1.6.6
libpng libpng 1.6.13
libpng libpng 1.6.7
libpng libpng *
libpng libpng 1.6.1
libpng libpng 1.6.2
libpng libpng 1.6.0
libpng libpng 1.6.9
libpng libpng 1.6.4
libpng libpng 1.6.5
libpng libpng 1.6.10
libpng libpng 1.6.8
libpng libpng 1.6.12
libpng libpng 1.6.11
apple mac_os_x *
libpng libpng 1.6.14
libpng libpng 1.6.15
libpng libpng 1.6.3
CVE-2015-0973 HIGH

Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-120,

Products Affected

Vendor Product Version
libpng libpng 1.6.6
libpng libpng 1.6.13
oracle solaris 11.2
libpng libpng 1.6.7
libpng libpng *
libpng libpng 1.6.1
libpng libpng 1.6.2
libpng libpng 1.6.0
libpng libpng 1.6.9
libpng libpng 1.6.4
libpng libpng 1.6.5
libpng libpng 1.6.10
libpng libpng 1.6.8
libpng libpng 1.6.12
libpng libpng 1.6.11
apple mac_os_x *
libpng libpng 1.6.14
libpng libpng 1.6.15
libpng libpng 1.6.3
CVE-2015-7981 MEDIUM

The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
libpng libpng 1.4.13
libpng libpng 1.2.47
debian debian_linux 7.0
canonical ubuntu_linux 15.10
libpng libpng 1.0.11
libpng libpng 1.2.16
redhat enterprise_linux_server_eus 7.2
libpng libpng 1.2.48
libpng libpng 1.2.12
libpng libpng 1.0.13
libpng libpng 1.2.5
canonical ubuntu_linux 15.04
redhat enterprise_linux_server_eus 6.7.z
libpng libpng 1.0.40
libpng libpng 1.2.36
libpng libpng 1.4.12
libpng libpng 1.2.33
libpng libpng 1.0.0
libpng libpng 1.0.3
libpng libpng 1.0.41
libpng libpng 1.0.15
redhat enterprise_linux_workstation 7.0
libpng libpng 1.2.18
libpng libpng 1.2.41
libpng libpng 1.0.27
libpng libpng 1.0.32
libpng libpng 1.0.51
libpng libpng 1.2.24
libpng libpng 1.0.46
redhat enterprise_linux_workstation 6.0
libpng libpng 1.0.2
libpng libpng 1.0.28
libpng libpng 1.4.15
libpng libpng 1.2.51
redhat enterprise_linux_hpc_node 6.0
libpng libpng 1.4.3
libpng libpng 1.4.6
debian debian_linux 8.0
libpng libpng 1.2.9
libpng libpng 1.4.1
redhat enterprise_linux_hpc_node_eus 7.2
libpng libpng 1.0.63
libpng libpng 1.0.24
libpng libpng 1.0.44
redhat enterprise_linux_desktop 7.0
libpng libpng 1.2.32
libpng libpng 1.4.4
libpng libpng 1.2.23
libpng libpng 1.0.48
libpng libpng 1.2.42
libpng libpng 1.4.10
libpng libpng 1.2.15
canonical ubuntu_linux 14.04
libpng libpng 1.4.14
libpng libpng 1.2.29
libpng libpng 1.0.38
libpng libpng 1.4.7
libpng libpng 1.0.7
libpng libpng 1.0.12
libpng libpng 1.0.55
libpng libpng 1.0.31
libpng libpng 1.0.50
libpng libpng 1.2.39
libpng libpng 1.4.0
libpng libpng 1.2.4
libpng libpng 1.2.27
libpng libpng 1.4.8
libpng libpng 1.2.31
libpng libpng 1.2.13
libpng libpng 1.0.52
libpng libpng 1.0.54
libpng libpng 1.2.7
libpng libpng 1.0.21
libpng libpng 1.0.53
libpng libpng 1.0.34
libpng libpng 1.2.21
libpng libpng 1.0.35
libpng libpng 1.2.3
libpng libpng 1.4.11
libpng libpng 1.0.33
libpng libpng 1.2.43
libpng libpng 1.0.62
libpng libpng 1.0.30
libpng libpng 1.0.26
libpng libpng 1.0.56
libpng libpng 1.2.2
libpng libpng 1.2.10
libpng libpng 1.2.28
libpng libpng 1.0.19
libpng libpng 1.2.37
libpng libpng 1.2.35
libpng libpng 1.0.45
libpng libpng 1.0.22
libpng libpng 1.0.61
libpng libpng 1.0.59
libpng libpng 1.0.5
libpng libpng 1.2.53
libpng libpng 1.2.45
libpng libpng 1.0.20
libpng libpng 1.2.46
libpng libpng 1.2.20
libpng libpng 1.2.30
libpng libpng 1.0.8
libpng libpng 1.0.39
canonical ubuntu_linux 12.04
libpng libpng 1.0.25
redhat enterprise_linux_server 7.0
libpng libpng 1.2.8
redhat enterprise_linux_desktop 6.0
libpng libpng 1.0.37
libpng libpng 1.2.44
libpng libpng 1.0.47
libpng libpng 1.2.6
libpng libpng 1.2.22
libpng libpng 1.0.43
libpng libpng 1.4.5
libpng libpng 1.2.14
libpng libpng 1.2.25
libpng libpng 1.0.14
libpng libpng 1.0.58
redhat enterprise_linux_server 6.0
redhat enterprise_linux_hpc_node 7.0
libpng libpng 1.0.18
libpng libpng 1.2.0
libpng libpng 1.0.17
libpng libpng 1.2.26
libpng libpng 1.0.16
libpng libpng 1.2.17
libpng libpng 1.0.23
libpng libpng 1.0.6
libpng libpng 1.0.29
libpng libpng 1.2.50
libpng libpng 1.0.10
libpng libpng 1.0.42
libpng libpng 1.2.19
libpng libpng 1.2.49
libpng libpng 1.2.11
libpng libpng 1.0.60
libpng libpng 1.0.9
libpng libpng 1.0.1
libpng libpng 1.2.52
redhat enterprise_linux_server_aus 7.2
libpng libpng 1.4.9
libpng libpng 1.4.16
libpng libpng 1.2.1
libpng libpng 1.2.38
libpng libpng 1.2.40
libpng libpng 1.2.34
libpng libpng 1.0.57
libpng libpng 1.4.2
CVE-2015-8126 HIGH

Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_eus 6.7
debian debian_linux 7.0
debian debian_linux 9.0
canonical ubuntu_linux 15.10
fedoraproject fedora 23
suse linux_enterprise_desktop 11
oracle jre 1.6.0
canonical ubuntu_linux 15.04
oracle linux 7
oracle jdk 1.6.0
suse linux_enterprise_desktop 12
oracle jre 1.8.0
apple mac_os_x *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.3
canonical ubuntu_linux 12.04
oracle linux 6
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.0
opensuse opensuse 13.2
debian debian_linux 8.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_eus 7.5
oracle solaris 11.3
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 7.0
libpng libpng *
oracle jdk 1.7.0
redhat enterprise_linux_server_aus 7.7
redhat satellite 5.6
redhat enterprise_linux_server_aus 7.4
canonical ubuntu_linux 14.04
oracle jdk 1.8.0
redhat enterprise_linux_eus 7.2
redhat satellite 5.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.2
opensuse opensuse 13.1
fedoraproject fedora 21
opensuse leap 42.1
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_server_aus 7.6
suse linux_enterprise_server 12
redhat enterprise_linux_server_tus 7.2
oracle jre 1.7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.3
fedoraproject fedora 22
CVE-2015-8472 HIGH

Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libpng libpng 1.4.13
libpng libpng 1.2.47
libpng libpng 1.5.19
libpng libpng 1.2.16
libpng libpng 1.2.48
libpng libpng 1.2.12
libpng libpng 1.2.36
libpng libpng 1.4.12
libpng libpng 1.5.24
libpng libpng 1.2.33
libpng libpng 1.5.9
apple mac_os_x *
libpng libpng 1.2.18
libpng libpng 1.2.41
libpng libpng 1.6.6
libpng libpng 1.2.24
libpng libpng 1.5.5
libpng libpng 1.5.1
libpng libpng 1.6.0
libpng libpng 1.5.14
libpng libpng 1.4.15
libpng libpng 1.6.5
libpng libpng 1.2.51
libpng libpng 1.4.3
libpng libpng 1.4.6
libpng libpng 1.4.1
libpng libpng 1.6.18
libpng libpng 1.6.15
libpng libpng 1.6.3
libpng libpng 1.2.32
libpng libpng 1.4.4
libpng libpng 1.2.23
libpng libpng 1.5.8
libpng libpng 1.5.18
libpng libpng 1.2.42
libpng libpng 1.4.10
libpng libpng 1.2.15
libpng libpng 1.4.14
libpng libpng 1.5.21
libpng libpng 1.6.4
libpng libpng 1.2.29
libpng libpng 1.5.16
libpng libpng 1.4.7
libpng libpng 1.6.12
libpng libpng 1.6.14
libpng libpng 1.2.39
libpng libpng 1.4.0
libpng libpng 1.5.11
libpng libpng 1.0.64
libpng libpng 1.5.15
libpng libpng 1.6.17
libpng libpng 1.2.4
libpng libpng 1.2.27
libpng libpng 1.4.8
libpng libpng 1.2.31
libpng libpng 1.5.12
libpng libpng 1.2.13
libpng libpng 1.6.8
libpng libpng 1.2.21
libpng libpng 1.2.3
libpng libpng 1.5.6
libpng libpng 1.4.11
libpng libpng 1.2.43
libpng libpng 1.5.2
libpng libpng 1.5.20
libpng libpng 1.5.4
libpng libpng 1.2.2
libpng libpng 1.5.7
libpng libpng 1.2.10
libpng libpng 1.2.28
libpng libpng 1.2.37
libpng libpng 1.2.35
libpng libpng 1.2.53
libpng libpng 1.2.45
libpng libpng 1.2.54
libpng libpng 1.2.46
libpng libpng 1.2.20
libpng libpng 1.2.30
libpng libpng 1.6.1
libpng libpng 1.4.17
libpng libpng 1.6.2
libpng libpng 1.5.13
libpng libpng 1.6.16
libpng libpng 1.2.44
libpng libpng 1.5.17
libpng libpng 1.2.22
libpng libpng 1.5.23
libpng libpng 1.4.5
libpng libpng 1.2.14
libpng libpng 1.2.25
libpng libpng 1.5.22
libpng libpng 1.6.13
libpng libpng 1.5.3
libpng libpng 1.2.0
libpng libpng 1.2.26
libpng libpng 1.6.19
libpng libpng 1.2.17
libpng libpng 1.2.50
libpng libpng 1.6.10
libpng libpng 1.2.19
libpng libpng 1.2.49
libpng libpng 1.2.11
libpng libpng 1.6.7
libpng libpng 1.2.52
libpng libpng 1.4.9
libpng libpng 1.4.16
libpng libpng 1.2.1
libpng libpng 1.2.38
libpng libpng 1.6.9
libpng libpng 1.2.40
libpng libpng 1.5.10
libpng libpng 1.2.34
libpng libpng 1.6.11
libpng libpng 1.4.2
CVE-2015-8540 HIGH

Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
libpng libpng 1.4.13
libpng libpng 1.2.47
libpng libpng 1.2.55
libpng libpng 1.5.19
libpng libpng 1.0.11
libpng libpng 1.2.16
libpng libpng 1.2.48
libpng libpng 1.2.12
libpng libpng 1.0.13
libpng libpng 1.2.5
libpng libpng 1.0.40
libpng libpng 1.2.36
libpng libpng 1.4.12
debian debian_linux 6.0
libpng libpng 1.5.24
libpng libpng 1.2.33
libpng libpng 1.5.9
libpng libpng 1.0.0
libpng libpng 1.0.3
libpng libpng 1.0.41
libpng libpng 1.0.15
libpng libpng 1.2.18
libpng libpng 1.2.41
libpng libpng 1.0.27
redhat enterprise_linux_workstation_supplementary 6.0
libpng libpng 1.0.32
libpng libpng 1.0.51
libpng libpng 1.2.24
libpng libpng 1.5.5
libpng libpng 1.0.46
libpng libpng 1.5.1
libpng libpng 1.0.2
libpng libpng 1.0.28
libpng libpng 1.5.14
libpng libpng 1.4.15
libpng libpng 1.5.25
libpng libpng 1.2.51
redhat enterprise_linux_hpc_node 6.0
libpng libpng 1.4.3
libpng libpng 1.4.6
redhat enterprise_linux_server_supplementary 5.0
libpng libpng 1.2.9
libpng libpng 1.4.1
libpng libpng 1.0.63
libpng libpng 1.0.24
libpng libpng 1.0.44
libpng libpng 1.2.32
libpng libpng 1.4.4
libpng libpng 1.2.23
libpng libpng 1.5.8
libpng libpng 1.5.18
libpng libpng 1.0.48
libpng libpng 1.2.42
libpng libpng 1.4.10
libpng libpng 1.2.15
libpng libpng 1.4.14
libpng libpng 1.5.21
libpng libpng 1.2.29
libpng libpng 1.0.38
libpng libpng 1.5.16
libpng libpng 1.4.7
libpng libpng 1.0.7
libpng libpng 1.0.12
libpng libpng 1.0.55
libpng libpng 1.0.31
libpng libpng 1.0.50
libpng libpng 1.2.39
libpng libpng 1.4.0
libpng libpng 1.5.11
libpng libpng 1.0.64
libpng libpng 1.5.15
libpng libpng 1.2.4
libpng libpng 1.2.27
libpng libpng 1.4.8
libpng libpng 1.2.31
libpng libpng 1.5.12
libpng libpng 1.2.13
libpng libpng 1.0.52
libpng libpng 1.0.54
libpng libpng 1.2.7
libpng libpng 1.0.21
libpng libpng 1.0.53
libpng libpng 1.5.0
redhat enterprise_linux_server_supplementary 6.0
libpng libpng 1.0.34
libpng libpng 1.2.21
libpng libpng 1.0.35
libpng libpng 1.2.3
libpng libpng 1.5.6
libpng libpng 1.4.11
libpng libpng 1.0.33
libpng libpng 1.3.0
libpng libpng 1.2.43
libpng libpng 1.5.2
libpng libpng 1.0.62
fedoraproject fedora 23
libpng libpng 1.5.20
libpng libpng 1.0.65
libpng libpng 1.0.30
libpng libpng 1.5.4
libpng libpng 1.0.26
libpng libpng 1.0.56
libpng libpng 1.2.2
libpng libpng 1.5.7
libpng libpng 0.97
libpng libpng 1.2.10
libpng libpng 1.2.28
libpng libpng 1.0.19
libpng libpng 1.2.37
libpng libpng 1.2.35
libpng libpng 1.0.45
libpng libpng 1.0.22
libpng libpng 1.0.61
libpng libpng 1.0.59
libpng libpng 0.96
libpng libpng 1.0.5
libpng libpng 1.2.53
libpng libpng 1.2.45
libpng libpng 1.2.54
libpng libpng 1.0.20
libpng libpng 1.2.46
libpng libpng 1.2.20
libpng libpng 1.2.30
libpng libpng 1.0.8
libpng libpng 1.0.39
libpng libpng 1.4.17
libpng libpng 1.0.25
libpng libpng 1.5.13
libpng libpng 1.4.18
redhat enterprise_linux_desktop_supplementary 6.0
libpng libpng 1.2.8
libpng libpng 1.0.37
libpng libpng 1.2.44
libpng libpng 1.0.47
libpng libpng 1.2.6
libpng libpng 1.5.17
libpng libpng 1.2.22
libpng libpng 1.5.23
libpng libpng 1.0.43
libpng libpng 1.4.5
libpng libpng 0.95
libpng libpng 1.2.14
libpng libpng 1.2.25
libpng libpng 1.0.14
libpng libpng 1.5.22
libpng libpng 1.0.58
libpng libpng 1.5.3
libpng libpng 1.0.18
libpng libpng 1.2.0
libpng libpng 1.0.17
libpng libpng 1.2.26
libpng libpng 1.0.16
libpng libpng 1.2.17
libpng libpng 1.0.23
libpng libpng 1.0.6
libpng libpng 1.0.29
libpng libpng 1.2.50
libpng libpng 1.0.10
libpng libpng 1.0.42
libpng libpng 0.90
libpng libpng 0.99
libpng libpng 1.2.19
libpng libpng 1.2.49
libpng libpng 1.1.1
libpng libpng 1.2.11
libpng libpng 1.0.60
redhat enterprise_linux_desktop_supplementary 5.0
libpng libpng 1.0.9
libpng libpng 1.0.1
libpng libpng 1.2.52
libpng libpng 1.4.9
libpng libpng 1.4.16
libpng libpng 0.98
libpng libpng 1.2.1
libpng libpng 1.2.38
libpng libpng 1.2.40
libpng libpng 1.5.10
libpng libpng 1.2.34
libpng libpng 1.0.57
libpng libpng 1.4.2
CVE-2016-10087 MEDIUM

The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
libpng libpng 1.2.47
libpng libpng 1.2.55
libpng libpng 1.5.19
libpng libpng 1.0.11
libpng libpng 1.0.40
libpng libpng 1.0.5c
libpng libpng 1.6.23
libpng libpng 1.2.33
libpng libpng 1.5.9
libpng libpng 1.0.3
libpng libpng 1.0.15
libpng libpng 1.2.41
libpng libpng 1.0.5i
libpng libpng 1.0.32
libpng libpng 1.0.51
libpng libpng 1.5.5
libpng libpng 1.5.1
libpng libpng 1.6.0
libpng libpng 1.0.2a
libpng libpng 1.0.2
libpng libpng 1.5.14
libpng libpng 1.6.20
libpng libpng 1.5.25
libpng libpng 1.2.51
libpng libpng 1.0.5a
libpng libpng 1.0.5d
libpng libpng 1.4.3
libpng libpng 1.4.6
libpng libpng 1.4.1
libpng libpng 1.0.1d
libpng libpng 1.6.18
libpng libpng 1.6.21
libpng libpng 1.0.44
libpng libpng 1.0.6d
libpng libpng 1.6.22
libpng libpng 1.5.8
libpng libpng 1.5.18
libpng libpng 1.2.42
libpng libpng 1.0.5p
libpng libpng 1.0.5q
libpng libpng 1.6.24
libpng libpng 1.4.14
libpng libpng 1.5.21
libpng libpng 1.2.29
libpng libpng 1.0.38
libpng libpng 1.6.12
libpng libpng 1.6.14
libpng libpng 1.0.4b
libpng libpng 1.0.55
libpng libpng 0.87
libpng libpng 1.0.5s
libpng libpng 0.99f
libpng libpng 1.0.31
libpng libpng 1.0.50
libpng libpng 1.2.39
libpng libpng 1.0.64
libpng libpng 0.82
libpng libpng 1.5.15
libpng libpng 0.88
libpng libpng 1.2.4
libpng libpng 0.81
libpng libpng 1.0.6g
libpng libpng 1.4.8
libpng libpng 1.0.1c
libpng libpng 1.0.21
libpng libpng 1.0.53
libpng libpng 1.5.0
libpng libpng 1.0.34
libpng libpng 1.0.35
libpng libpng 1.2.3
libpng libpng 1.4.11
libpng libpng 1.0.33
libpng libpng 1.5.2
libpng libpng 1.0.5n
libpng libpng 1.5.4
libpng libpng 1.0.26
libpng libpng 1.2.56
libpng libpng 0.97
libpng libpng 1.2.37
libpng libpng 1.4.19
libpng libpng 1.0.22
libpng libpng 0.96
libpng libpng 1.2.53
libpng libpng 1.2.45
libpng libpng 1.5.27
libpng libpng 1.2.54
libpng libpng 1.2.20
libpng libpng 1.0.8
libpng libpng 1.0.39
libpng libpng 1.4.17
libpng libpng 1.0.4f
libpng libpng 0.99g
libpng libpng 1.0.37
libpng libpng 1.0.3d
libpng libpng 1.2.6
libpng libpng 1.5.23
libpng libpng 1.4.5
libpng libpng 1.0.14
libpng libpng 1.5.22
libpng libpng 0.71
libpng libpng 1.5.3
libpng libpng 1.0.17
libpng libpng 1.2.26
libpng libpng 1.6.19
libpng libpng 0.86
libpng libpng 1.0.23
libpng libpng 1.0.29
libpng libpng 1.0.10
libpng libpng 1.0.42
libpng libpng 0.90
libpng libpng 1.0.3b
libpng libpng 1.0.60
libpng libpng 0.99h
libpng libpng 1.2.52
libpng libpng 1.0.4d
libpng libpng 1.4.16
libpng libpng 0.98
libpng libpng 1.2.1
libpng libpng 1.0.5m
libpng libpng 1.6.9
libpng libpng 1.6.26
libpng libpng 1.0.4a
libpng libpng 1.0.66
libpng libpng 1.0.57
libpng libpng 1.4.2
libpng libpng 1.4.13
libpng libpng 1.0.5e
libpng libpng 1.0.5t
libpng libpng 1.2.16
libpng libpng 0.8
libpng libpng 1.2.12
libpng libpng 1.0.13
libpng libpng 1.4.12
libpng libpng 1.5.24
libpng libpng 1.0.5l
libpng libpng 1.0.0
libpng libpng 1.0.41
libpng libpng 1.0.5b
libpng libpng 1.2.18
libpng libpng 1.6.6
libpng libpng 1.0.27
libpng libpng 1.0.5o
libpng libpng 1.0.5u
libpng libpng 1.0.1e
libpng libpng 1.2.24
libpng libpng 1.0.6f
libpng libpng 1.0.4
libpng libpng 1.0.46
libpng libpng 1.0.28
libpng libpng 1.4.15
libpng libpng 1.6.5
libpng libpng 1.0.0a
libpng libpng 1.6.15
libpng libpng 1.6.3
libpng libpng 1.0.63
libpng libpng 1.0.24
libpng libpng 1.0.6h
libpng libpng 1.2.32
libpng libpng 0.89
libpng libpng 1.0.5k
libpng libpng 1.4.4
libpng libpng 1.0.48
libpng libpng 1.4.10
libpng libpng 1.6.4
libpng libpng 1.5.16
libpng libpng 1.4.7
libpng libpng 1.0.1b
libpng libpng 1.0.7
libpng libpng 1.0.5f
libpng libpng 1.0.12
libpng libpng 1.6.25
libpng libpng 0.85
libpng libpng 0.99a
libpng libpng 1.0.1a
libpng libpng 1.0.6e
libpng libpng 1.4.0
libpng libpng 1.0.5r
libpng libpng 1.5.11
libpng libpng 1.00
libpng libpng 1.0.5v
libpng libpng 1.6.17
libpng libpng 0.99e
libpng libpng 1.0.5j
libpng libpng 1.0.6i
libpng libpng 1.2.27
libpng libpng 1.5.12
libpng libpng 1.2.13
libpng libpng 1.0.52
libpng libpng 1.0.54
libpng libpng 1.6.8
libpng libpng 1.2.21
libpng libpng 1.5.6
libpng libpng 1.5.26
libpng libpng 1.0.62
libpng libpng 1.5.20
libpng libpng 1.0.65
libpng libpng 1.0.6j
libpng libpng 1.0.30
libpng libpng 1.0.56
libpng libpng 0.99d
libpng libpng 1.0.5g
libpng libpng 1.5.7
libpng libpng 1.2.10
libpng libpng 1.0.19
libpng libpng 1.0.3a
libpng libpng 1.2.35
libpng libpng 1.0.45
libpng libpng 1.0.61
libpng libpng 1.0.59
libpng libpng 1.0.5
libpng libpng 1.0.4e
libpng libpng 1.0.20
libpng libpng 1.2.46
libpng libpng 1.6.1
libpng libpng 1.0.25
libpng libpng 1.6.2
libpng libpng 1.5.13
libpng libpng 1.6.16
libpng libpng 1.4.18
libpng libpng 1.2.8
libpng libpng 1.2.44
libpng libpng 1.0.47
libpng libpng 1.5.17
libpng libpng 1.2.22
libpng libpng 1.0.43
libpng libpng 0.95
libpng libpng 1.2.14
libpng libpng 1.2.25
libpng libpng 1.6.13
libpng libpng 1.0.58
libpng libpng 1.0.18
libpng libpng 1.2.0
libpng libpng 1.0.5h
libpng libpng 1.0.16
libpng libpng 0.99c
libpng libpng 0.89c
libpng libpng 0.99b
libpng libpng 1.0.6
libpng libpng 1.2.50
libpng libpng 1.6.10
libpng libpng 0.99
libpng libpng 1.0.4c
libpng libpng 1.0.9
libpng libpng 1.6.7
libpng libpng 1.0.1
libpng libpng 1.4.9
libpng libpng 1.2.38
libpng libpng 1.0.0b
libpng libpng 1.5.10
libpng libpng 1.6.11
CVE-2016-3751 HIGH

Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
google android 5.0.1
google android 5.0
google android 4.0
google android 6.0.1
libpng libpng *
google android 4.0.1
google android 4.1.2
google android 4.2
google android 4.4.1
google android 6.0
google android 4.4
google android 4.3.1
google android 5.1
google android 4.1
google android 4.0.3
google android 4.2.2
google android 4.3
google android 4.4.3
google android 4.4.2
google android 4.0.4
google android 5.1.0
google android 4.0.2
google android 4.2.1
CVE-2017-12652 HIGH

libpng before 1.6.32 does not properly check the length of chunks against the user limit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
libpng libpng *
CVE-2018-13785 MEDIUM

In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-369,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 16.04
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 7.0
canonical ubuntu_linux 17.10
libpng libpng 1.6.34
oracle jre 11.0.0
oracle jdk 1.7.0
oracle jre 1.6.0
redhat enterprise_linux_workstation 6.0
canonical ubuntu_linux 14.04
oracle jdk 1.6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.8.0
canonical ubuntu_linux 18.04
oracle jre 1.7.0
oracle jdk 1.8.0
oracle jdk 11.0.0
CVE-2018-14048 MEDIUM

An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle jdk 1.6.0
libpng libpng 1.6.34
oracle jre 11.0.0
oracle jre 1.8.0
oracle jre 1.7.0
oracle jdk 1.7.0
oracle jdk 1.8.0
oracle jdk 11.0.0
oracle jre 1.6.0
CVE-2018-14550 MEDIUM

An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
libpng libpng 1.6.35
oracle mysql_workbench *
netapp oncommand_api_services -
oracle hyperion_infrastructure_technology 11.1.2.6.0
CVE-2019-6129 MEDIUM

png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
libpng libpng 1.6.36
CVE-2019-7317 LOW

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 9.0
netapp cloud_backup -
netapp e-series_santricity_management -
netapp active_iq_unified_manager 9.6
netapp plug-in_for_symantec_netbackup -
netapp oncommand_insight *
redhat enterprise_linux_for_scientific_computing 7.0
canonical ubuntu_linux 19.04
redhat enterprise_linux_workstation 7.0
netapp e-series_santricity_unified_manager *
hpe xp7_command_view_advanced_edition_suite *
oracle jdk 12.0.1
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_for_power_big_endian 6.0
oracle java_se 7u221
redhat enterprise_linux_for_power_big_endian 7.0
hp xp7_command_view *
debian debian_linux 8.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux 8.0
redhat enterprise_linux_for_scientific_computing 6.0
redhat enterprise_linux 6.0
mozilla thunderbird -
canonical ubuntu_linux 16.04
netapp active_iq_unified_manager *
redhat enterprise_linux_desktop 7.0
libpng libpng *
mozilla firefox -
opensuse leap 42.3
redhat enterprise_linux_for_ibm_z_systems 8.0
netapp oncommand_workflow_automation *
redhat enterprise_linux_for_ibm_z_systems 6.0
netapp steelstore -
oracle jdk 11.0.3
canonical ubuntu_linux 18.10
redhat satellite 5.8
canonical ubuntu_linux 18.04
netapp e-series_santricity_storage_manager *
oracle java_se 8u212
oracle mysql *
opensuse leap 15.0
redhat enterprise_linux_for_power_little_endian 7.0
oracle hyperion_infrastructure_technology 11.2.6.0
netapp e-series_santricity_web_services *
opensuse package_hub -
redhat enterprise_linux_for_ibm_z_systems 7.0
redhat enterprise_linux 7.0
opensuse leap 15.1
netapp snapmanager *
netapp snapmanager 3.4.2
redhat enterprise_linux_for_power_little_endian 8.0
CVE-2020-27818 MEDIUM

A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. An attacker able to pass a malicious file to be processed by pngcheck could cause a temporary denial of service, posing a low risk to application availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 1.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-125,

Products Affected

Vendor Product Version
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 31
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 32
fedoraproject fedora 34
fedoraproject extra_packages_for_enterprise_linux 8.0
libpng pngcheck 2.4.0
CVE-2020-35511

A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file.

Products Affected

Vendor Product Version
debian debian_linux 10.0
debian debian_linux 11.0
libpng pngcheck 2.4.0
CVE-2021-4214

A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
libpng libpng 1.6.0
CVE-2022-3857

A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
libpng libpng 1.6.38
CVE-2025-28162

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive

Products Affected

Vendor Product Version
libpng libpng *
CVE-2025-28164

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.

Products Affected

Vendor Product Version
libpng libpng *
CVE-2025-64505

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 1.8 4.2

Products Affected

Vendor Product Version
libpng libpng *
CVE-2025-64506

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 1.8 4.2

Products Affected

Vendor Product Version
libpng libpng *
CVE-2025-64720

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 2.8 4.2

Products Affected

Vendor Product Version
libpng libpng *
CVE-2025-65018

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H 1.8 5.2

Products Affected

Vendor Product Version
libpng libpng *
CVE-2025-66293

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 2.8 4.2

Products Affected

Vendor Product Version
libpng libpng *
CVE-2026-22695

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 1.8 4.2

Products Affected

Vendor Product Version
libpng libpng *
CVE-2026-22801

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 2.5 4.2

Products Affected

Vendor Product Version
libpng libpng *
CVE-2026-25646

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Products Affected

Vendor Product Version
libpng libpng *
CVE-2026-33416

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
libpng libpng *
CVE-2026-33636

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
libpng libpng *