Updated: 2026-02-08 04:41:41.148943
Description:
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | HIGH | 7.1 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | libpng | 1.6.37 | 7.1 | HIGH | Released | CLSA-2026:1768394334 | 2026-01-14 16:33:44 | |
| AlmaLinux 9.2 ESU | java-17-openjdk | 17.0.9.0.9 | 7.1 | HIGH | In Testing | 2026-01-26 14:07:05 | ||
| AlmaLinux 9.2 ESU | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | In Testing | 2026-01-24 14:04:54 | ||
| CentOS 8.4 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-27 14:57:56 | ||
| CentOS 8.5 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-29 11:54:36 | ||
| CentOS Stream 8 ELS | java-1.8.0-openjdk | 1.8.0 | 7.1 | HIGH | Not Vulnerable | 2026-01-27 14:57:57 | ||
| TuxCare 9.6 ESU | java-21-openjdk | 21.0.9.0.10 | 7.1 | HIGH | In Progress | 2026-02-09 20:16:42 | ||
| TuxCare 9.6 ESU | java-1.8.0-openjdk | 1.8.0.472.b08 | 7.1 | HIGH | Released | CLSA-2026:1770116781 | 2026-02-03 15:39:34 | |
| TuxCare 9.6 ESU | java-17-openjdk | 17.0.17.0.10 | 7.1 | HIGH | Released | CLSA-2026:1770115899 | 2026-02-03 15:39:47 | |
| TuxCare 9.6 ESU | libpng | 1.6.37 | 7.1 | HIGH | Released | CLSA-2026:1768395101 | 2026-01-14 16:33:43 |