CVE-2026-33636
- Source
- https://cve.org/CVERecord?id=CVE-2026-33636
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33636.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-33636
- Aliases
-
- GHSA-wjr5-c57x-95m2
- Downstream
- Related
- Published
- 2026-03-26T16:51:58.289Z
- Modified
- 2026-06-24T13:59:08.671117119Z
- Severity
-
- 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H CVSS Calculator
- Summary
- LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64
- Details
-
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-125", "CWE-787" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33636.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33636.json
- https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
- https://nvd.nist.gov/vuln/detail/CVE-2026-33636
- https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
- https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
Affected packages
Git / github.com/pnggroup/libpng
Affected versions
v1.*
v1.6.36
v1.6.37
v1.6.38
v1.6.39
v1.6.40
v1.6.41
v1.6.42
v1.6.43
v1.6.44
v1.6.45
v1.6.46
v1.6.47
v1.6.48
v1.6.49
v1.6.50
v1.6.51
v1.6.52
v1.6.53
v1.6.54
v1.6.55
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"277710390577621166110153611286032748480",
"37812626001429359030407727102204306192",
"235108146190051955392336492964133331294",
"308819439959077714989618121299124277555",
"260397287775790088579463485285595959002"
]
},
"signature_type": "Line",
"signature_version": "v1",
"id": "CVE-2026-33636-053d8287",
"target": {
"file": "pngtest.c"
},
"source": "https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"40751227670912029756736149127120453150",
"198637830444904859113826643048008781516",
"294647118521878145574180744584575428362",
"285236432918937864063307010650362056255"
]
},
"id": "CVE-2026-33636-0c8067c5",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
"target": {
"file": "pngwrite.c"
}
},
{
"digest": {
"function_hash": "199968100073827932216079219567117987864",
"length": 2269.0
},
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2026-33636-16ac3d3c",
"target": {
"file": "pngrtran.c",
"function": "png_do_expand_palette"
},
"source": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"275318446917889581591712309654270559088",
"147859018149019635503940028866009801974",
"58034846403964971091978219878215595589",
"261967513799812526214064242125720559964",
"44366717871718708055634204089723462121",
"278223488293610280681987664131414921117",
"269397633101767526096701517678195190804",
"46713617828654580387269179466881548258",
"122362575830325394055248433390643149954",
"261307837395774366543836730453708299711",
"42862244976555213052745726969164634300",
"176414257383541221982201214247101557882",
"285660605718942037139848647483478198981",
"47051430104373243095371920655875589173",
"203058605633911068229640484357583912093",
"288720066731729392119160850780116566713",
"198812608949545474109146532334817318504",
"124250797800217697583020144784622480283",
"79646082314197092668214689039147538085",
"195932328879744920227070835757212684030",
"159389108443249910704220163757357140796",
"72087639504129898708402916779438914943",
"188237100500138616985100768399046376846",
"277667244407150153248336686085588544969",
"248794707978089747186691652584476896289"
]
},
"id": "CVE-2026-33636-1b1ea51d",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "pngrtran.c"
},
"source": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"309299325879604982214741599746226985935",
"34398671405884067815466589706397554595",
"263346122310846184103855360971270516503"
]
},
"id": "CVE-2026-33636-3260f319",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "pngstruct.h"
},
"source": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
"deprecated": false
},
{
"digest": {
"function_hash": "17381089783477208875233528329869443635",
"length": 6287.0
},
"id": "CVE-2026-33636-3d2d2180",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "pngrtran.c",
"function": "png_do_read_transformations"
},
"source": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
"deprecated": false
},
{
"digest": {
"function_hash": "191788870158240393335986482985216797006",
"length": 1253.0
},
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2026-33636-78ce0547",
"target": {
"file": "arm/palette_neon_intrinsics.c",
"function": "png_do_expand_palette_rgb8_neon"
},
"source": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
"deprecated": false
},
{
"digest": {
"function_hash": "236483884268181938566890713142960837813",
"length": 656.0
},
"id": "CVE-2026-33636-980e11bb",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
"target": {
"file": "pngwrite.c",
"function": "png_write_destroy"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"195793623419483107751349550499422338653",
"241481619897360395005270248340996576576",
"333957916052778635910280086895133772621",
"73182602440664933896353205027083131409",
"119279519610455638020139458056230155289",
"215279933436747534013670962459111392399"
]
},
"id": "CVE-2026-33636-9a8d3ae7",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33",
"target": {
"file": "png.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"166375070723291529406421301066248769034",
"275647010778297936193963675511576832388",
"256826767335212246520616614652191899280",
"279336807821086835335477021495116274772",
"53629475448747437379627006107537775352",
"46568612355367798241902050586166833318",
"245452045998668159989023841863587304868",
"114709392716353867339954008479701831121"
]
},
"id": "CVE-2026-33636-dc375153",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33",
"target": {
"file": "png.h"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"139367891135452867165652437057481171091",
"33631614570698655213439046891038502724",
"73009570458539095253372671230696058840"
]
},
"id": "CVE-2026-33636-e0ad299e",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "pngpriv.h"
},
"source": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
"deprecated": false
},
{
"digest": {
"function_hash": "128613901959813948094254356666012276707",
"length": 841.0
},
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2026-33636-e36d813e",
"target": {
"file": "arm/palette_neon_intrinsics.c",
"function": "png_do_expand_palette_rgba8_neon"
},
"source": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"298359708780267296884315157627833435451",
"203203178321805385143526883075393510811",
"250242872877104785147844109220919858595",
"79048702668278991502446076210527555188",
"171919842259648123697619028366239398012",
"241268730263835879674777371680796159758",
"293042023929336437675212565487597359138",
"102080076162553264016683727533188887257",
"289421140340610710376227973987476268928",
"180482023378579750659669637771709492112",
"136583812222870122331793565768299380396",
"322726961584630739184609056372871362468",
"311039951619311631758162993300496042313",
"215349985471551441045135139639116256526",
"203660877934709973581203789725256264127",
"149369019407912671219455789735649947374",
"288217906790959503968015943118871567353",
"142502072423275304246426102188211634235",
"102080076162553264016683727533188887257",
"289421140340610710376227973987476268928",
"180482023378579750659669637771709492112",
"264103051453817654756190448191240629301",
"41928230139577688963226065437266305186"
]
},
"id": "CVE-2026-33636-e590930e",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "arm/palette_neon_intrinsics.c"
},
"source": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
"deprecated": false
},
{
"digest": {
"function_hash": "241740084829777515414352894687164664979",
"length": 481.0
},
"id": "CVE-2026-33636-ed236551",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "png.c",
"function": "png_get_copyright"
},
"source": "https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33",
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33636.json"
vanir_signatures_modified
"2026-06-18T18:09:07Z"