Source: libpng1.6 Version: 1.6.55-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libpng1.6. CVE-2026-33636[0]: | LIBPNG is a reference library for use in applications that read, | create, and manipulate PNG (Portable Network Graphics) raster image | files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and | write exists in libpng's ARM/AArch64 Neon-optimized palette | expansion path. When expanding 8-bit paletted rows to RGB or RGBA, | the Neon loop processes a final partial chunk without verifying that | enough input pixels remain. Because the implementation works | backward from the end of the row, the final iteration dereferences | pointers before the start of the row buffer (OOB read) and writes | expanded pixel data to the same underflowed positions (OOB write). | This is reachable via normal decoding of attacker-controlled PNG | input if Neon is enabled. Version 1.6.56 fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33636 https://www.cve.org/CVERecord?id=CVE-2026-33636 [1] https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
