PT-2026-28502 · Libpng+4 · Libpng+4
Amemoyoi
·
Published
2026-01-01
·
Updated
2026-05-26
·
CVE-2026-33636
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:C |
Name of the Vulnerable Software and Affected Versions
LIBPNG versions 1.6.36 through 1.6.55
Description
An out-of-bounds read and write exists in the ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying if sufficient input pixels remain. Because the implementation operates backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer, leading to an out-of-bounds read, and writes expanded pixel data to those same underflowed positions, causing an out-of-bounds write. This issue is reachable through the normal decoding of attacker-controlled PNG input if Neon is enabled.
Recommendations
Update to version 1.6.56.
Exploit
Fix
RCE
Out of bounds Read
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Libpng
Linuxmint
Red Os
Rocky Linux
Ubuntu