CVE-2026-22801

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-22801
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22801.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-22801
Aliases
  • GHSA-vgjq-8cw5-ggw8
Downstream
Related
Published
2026-01-12T22:57:58.288Z
Modified
2026-04-30T10:02:26.547601Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*
Details

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions pngwriteimage16bit and pngwriteimage8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-125",
        "CWE-190"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22801.json"
}
References

Affected packages

Git / github.com/glennrp/libpng

Affected ranges

Type
GIT
Repo
https://github.com/glennrp/libpng
Events
Introduced
0c440812db5f3f8929db87ff840bc51fd09a8af3
Fixed
02f2b4f4699f0ef9111a6534f093b53732df4452
Database specific 
{
    "versions": [
        {
            "introduced": "1.6.26"
        },
        {
            "fixed": "1.6.54"
        }
    ]
}

Affected versions

libpng-1.*
libpng-1.6.26-signed
libpng-1.6.29-signed
libpng-1.6.30-master-signed
libpng-1.6.30-signed
libpng-1.6.31-master-signed
libpng-1.6.31-signed
v1.*
v1.6.26
v1.6.27beta01
v1.6.29
v1.6.29beta02
v1.6.29beta03
v1.6.29rc01
v1.6.30
v1.6.30beta01
v1.6.30beta02
v1.6.30beta03
v1.6.30beta04
v1.6.30rc01
v1.6.31
v1.6.31beta01
v1.6.31beta02
v1.6.31beta03
v1.6.31beta04
v1.6.31beta05
v1.6.31beta06
v1.6.31beta07
v1.6.31rc01
v1.6.31rc02
v1.6.32
v1.6.32beta01
v1.6.32beta02
v1.6.32beta03
v1.6.32beta05
v1.6.32beta06
v1.6.32beta07
v1.6.32beta08
v1.6.32beta09
v1.6.32beta10
v1.6.32beta11
v1.6.32rc01
v1.6.32rc02
v1.6.33
v1.6.33beta01
v1.6.33beta02
v1.6.33beta03
v1.6.33rc01
v1.6.33rc02
v1.6.34
v1.6.35
v1.6.35beta01
v1.6.36
v1.6.37
v1.6.38
v1.6.39
v1.6.40
v1.6.41
v1.6.42
v1.6.43
v1.6.44
v1.6.45
v1.6.46
v1.6.47
v1.6.48
v1.6.49
v1.6.50
v1.6.51
v1.6.52
v1.6.53

Database specific

vanir_signatures_modified 
"2026-04-30T10:02:26Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "source": "https://github.com/glennrp/libpng/commit/02f2b4f4699f0ef9111a6534f093b53732df4452",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 481.0,
            "function_hash": "154053324026357579622821123918096375308"
        },
        "target": {
            "function": "png_get_copyright",
            "file": "png.c"
        },
        "id": "CVE-2026-22801-7949f212"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/glennrp/libpng/commit/02f2b4f4699f0ef9111a6534f093b53732df4452",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "327333362595809855009709216293242458091",
                "279773453140246214690474345717570130546",
                "115820707951216701988175577087939699096",
                "311171675743028020374147954611376107950",
                "167668607726485798520722745583647935882",
                "334738595734899256725134661017463305676"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "png.c"
        },
        "id": "CVE-2026-22801-af4b95a7"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/glennrp/libpng/commit/02f2b4f4699f0ef9111a6534f093b53732df4452",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "166375070723291529406421301066248769034",
                "275647010778297936193963675511576832388",
                "256826767335212246520616614652191899280",
                "279336807821086835335477021495116274772",
                "21410732896831932727182998172814220178",
                "106550426482539417114549859700126206902",
                "247197528077876204962072745179511874496",
                "327509478853766906744281300346084898016"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "png.h"
        },
        "id": "CVE-2026-22801-c0ab282a"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/glennrp/libpng/commit/02f2b4f4699f0ef9111a6534f093b53732df4452",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "61817495566730883906655567599472824457",
                "275257476952071577898258900499903171964",
                "91397839701035180686538087820368727519",
                "158625912433874676602721644606842363619"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "pngtest.c"
        },
        "id": "CVE-2026-22801-fa36825b"
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22801.json"