You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
libpng
About this tag
The libpng tag on WindowsForum.com covers security vulnerabilities and patches for the libpng library, the canonical C library for reading and writing PNG images. Recent discussions focus on high-severity CVEs including use-after-free, heap buffer overflows, out-of-bounds reads, and integer truncation bugs affecting libpng versions through 1.6.55. Specific issues like CVE-2026-33416, CVE-2026-3713, CVE-2026-22801, CVE-2025-66293, CVE-2025-64506, and CVE-2025-64505 are detailed, with fixes in libpng 1.6.51 through 1.6.56. Threads emphasize the importance of updating libpng to mitigate denial-of-service, information disclosure, and application crash risks, particularly for enterprise IT and developers relying on this widely embedded library.
CVE-2026-33416 is a reminder that mature image libraries can still hide dangerous memory-safety bugs in code paths that look deceptively routine. Microsoft’s update guide frames the flaw as a use-after-free in libpng with high availability impact, and the PNG Project says the bug affects...
A newly disclosed vulnerability in the pnggroup libpng project—tracked as CVE-2026-3713—allows a specially crafted PNM image to trigger a heap-based buffer overflow in the library’s pnm2png utility, and a public proof-of-concept has already been published. This bug stems from an...
A recently disclosed flaw in the libpng library — tracked as CVE-2026-22801 — creates an integer truncation in libpng's simplified write APIs that can lead to a heap buffer over‑read and consequent denial‑of‑service or information disclosure when applications call png_write_image_16bit() or...
LIBPNG’s maintainers have shipped an urgent patch after researchers discovered a high‑severity out‑of‑bounds read in the simplified read/write API: png_image_read_composite can read up to 1,012 bytes past the end of the png_sRGB_base array when processing valid palette PNGs that include partial...
A heap buffer over-read has been disclosed in the libpng library’s simplified write API: CVE-2025-64506 affects libpng versions 1.6.0 through 1.6.50 and is patched in libpng 1.6.51; the flaw stems from an incorrect conditional in png_write_image_8bit that can cause 8-bit image buffers to be...
A recently disclosed vulnerability in the widely used LIBPNG library — tracked as CVE‑2025‑64505 — allows a crafted PNG file with malformed palette indices to provoke a heap buffer over‑read in libpng’s png_do_quantize routine; the issue is fixed in libpng 1.6.51, and maintainers and downstream...