Skip to main content

libpng-apng CVE-2026-40930

| EUVDEUVD-2026-34287 MEDIUM
Interpretation Conflict (CWE-436)
2026-05-18
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 04, 2026 - 16:25 vuln.today
Analysis Generated
Jun 04, 2026 - 16:25 vuln.today
CVSS changed
Jun 04, 2026 - 16:22 NVD
5.4 (MEDIUM)
CVE Published
May 18, 2026 - 20:45 nvd
UNKNOWN (no severity yet)
CVE Published
May 18, 2026 - 20:45 nvd
MEDIUM 5.4

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Chunk-smuggling in libpng-apng's push-mode APNG parser allows a remote unauthenticated attacker to cause integrity violations and availability disruption when a victim processes a specially crafted APNG file. The flaw - classified under CWE-436 (Interpretation Conflict) - stems from incorrect sequencing of CRC finalization and frame sequence number validation for fcTL and fdAT chunks in pngpread.c, enabling maliciously ordered chunk boundaries to bypass expected parser state transitions. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, it represents a meaningful risk for any image-processing pipeline or application accepting user-supplied APNG data from untrusted sources.

Technical ContextAI

libpng-apng is the APNG (Animated PNG) patched variant of the canonical libpng library, which adds animation chunk handling (acTL, fcTL, fdAT) not present in stock libpng. The affected code resides in pngpread.c, which implements the push-mode (incremental/streaming) parsing API - used when image data arrives in chunks rather than all at once. CWE-436 (Interpretation Conflict) captures the root cause: prior to fix commit faf06924688b62d7c1654b5ceddedbde66ffadb4, calls to png_ensure_sequence_number (APNG frame sequence validation) and png_crc_finish (CRC checksum finalization) appeared in incorrect relative order and position within the chunk dispatch logic. This mismatch allowed a crafted file to present APNG chunks whose sequence numbers and CRC regions were validated against wrong boundaries, enabling a chunk-smuggling condition where the parser interprets chunk type or content inconsistently with what a strict reading of the PNG/APNG specification would mandate. The fix repositions these validation calls and relocates buffer-size guards inside the correct conditional branches, ensuring sequence numbers are checked and CRCs are consumed before chunk content is acted upon.

RemediationAI

Apply the upstream fix by updating to a build of libpng-apng that includes commit faf06924688b62d7c1654b5ceddedbde66ffadb4 (https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4); consult the GitHub security advisory GHSA-c4v6-gxrq-6g2x for the officially patched release version once confirmed. If a packaged release is not yet available for your distribution, apply the patch to pngpread.c directly, as the diff is self-contained. As a compensating control, applications that do not require animation support can switch from the push-mode API to the pull-mode API, which is not affected by this vulnerability, though this may require code changes if the streaming API is architecturally required. For internet-facing upload services, rejecting files detected as APNG (by checking for the acTL chunk) at the ingestion boundary until patched is an effective but operationally disruptive workaround, as it blocks all animated PNG processing. Sandboxing the image decoding process (e.g., running it in a seccomp-filtered subprocess) limits blast radius even if exploitation occurs.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-40930 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy