CVE-2026-33636

| EUVD-2026-16269 HIGH
2026-03-26 GitHub_M
7.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 17:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 17:15 euvd
EUVD-2026-16269
CVE Published
Mar 26, 2026 - 16:51 nvd
HIGH 7.6

Tags

Buffer Overflow Information Disclosure

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

Analysis

Out-of-bounds read and write in libpng's ARM/AArch64 Neon-optimized palette expansion allows remote attackers to trigger memory corruption, information disclosure, and denial of service when processing malicious PNG files. libpng versions 1.6.36 through 1.6.55 are affected on ARM platforms with Neon optimization enabled. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all systems running libpng 1.6.36-1.6.55 on ARM/AArch64 architectures (inspect container images, embedded devices, and ARM servers); document exposure scope and prioritize internet-facing or data-processing systems. Within 7 days: Upgrade libpng to version 1.6.56 or later on all affected ARM systems; test patched builds in non-production environments first. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Vendor Status

Debian

Bug #1132013
libpng1.6
Release Status Fixed Version Urgency
bullseye vulnerable 1.6.37-3 -
bullseye (security) vulnerable 1.6.37-3+deb11u2 -
bookworm vulnerable 1.6.39-2+deb12u1 -
bookworm (security) vulnerable 1.6.39-2+deb12u3 -
trixie (security), trixie vulnerable 1.6.48-1+deb13u3 -
forky, sid vulnerable 1.6.55-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-33636 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy