Primary

Context

libpng Buffer Overflow Vulnerability Leading to Denial-of-Service

Vulnerability

A buffer overflow vulnerability has been identified in libpng versions 1.6.43 through 1.6.46. This vulnerability allows a local attacker to cause a denial-of-service by exploiting memory leaks in the pngimage application. When AddressSanitizer (ASan) is used, the program's memory management flaws are revealed, leading to excessive memory consumption and causing the application to hang.

Impact

Exploitation of this vulnerability causes a memory leak, with AddressSanitizer reporting over 10,000 bytes leaked. This excessive memory usage can cause the application to become unresponsive.

Reproduction

The vulnerability can be reproduced by compiling the libpng application and running the pngimage tool with a crafted PNG file that triggers the memory leak. The AddressSanitizer should be enabled during compilation to detect the memory management issues.

Remediation

Users can upgrade to libpng version 1.6.47 or later, where this vulnerability has been addressed.

Added: Jan 27, 2026, 4:38 PM

Updated: Jan 27, 2026, 4:38 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

4.2

remediation

0.0

relevance

2.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

4.2

remediation

0.0

relevance

2.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

libpng Buffer Overflow Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Reproduction

Remediation

Affected Products

libpng

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating