Updated: 2026-02-08 04:41:42.166953
Description:
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | HIGH | 7.1 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | libpng | 1.6.37 | 7.1 | HIGH | Released | CLSA-2026:1768394334 | 2026-01-14 16:33:40 | |
| AlmaLinux 9.2 ESU | java-17-openjdk | 17.0.9.0.9 | 7.1 | HIGH | In Testing | 2026-01-26 14:07:04 | ||
| AlmaLinux 9.2 ESU | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | In Testing | 2026-01-24 14:04:57 | ||
| CentOS 7 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-27 23:37:48 | ||
| CentOS 7 ELS | libpng | 1.5.13 | 7.1 | HIGH | Released | CLSA-2026:1768911013 | 2026-01-28 12:08:32 | |
| CentOS 8.4 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-27 14:57:58 | ||
| CentOS 8.5 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-27 14:57:57 | ||
| CentOS Stream 8 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-27 14:58:02 | ||
| CloudLinux 7 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-27 23:37:50 | ||
| Oracle Linux 7 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-27 23:37:49 |