CVE-2026-22801

LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*

Published: 1/12/2026 Last updated: 1/13/2026 Reserved: 1/9/2026

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	6.8	Medium	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Opam packages affected (4)

conf-gd conf-libpng grib qrencode

Products affected (1)

Product	Vendor	Version
libpng	pnggroup	<= 1.11.3

CVE-2026-22801

LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*

Metrics

Opam packages affected (4)

Products affected (1)

References (2)