Hello, everyone, libpng 1.6.54 has been released, fixing two medium-severity heap buffer over-read vulnerabilities in the simplified API.
=== CVE-2026-22695 === Heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix) Security advisory: https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp Remediation commit: https://github.com/pnggroup/libpng/commit/e4f7ad4ea2 CVSS 3.1: 6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CWE: CWE-125 (Out-of-bounds Read) Affected: libpng 1.6.51 through 1.6.53 Fixed: libpng 1.6.54 This is a regression introduced by the fix for CVE-2025-65018. When processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride, the png_image_read_direct_scaled() function used the caller's stride instead of the actual row width for memcpy, causing a heap buffer over-read. Impact: - Information disclosure (low): over-read may expose adjacent heap data - Denial of service (high): negative stride causes deterministic crash Applications using the default stride (row_stride = 0 or row_stride = PNG_IMAGE_ROW_STRIDE(image)) are NOT affected. Credit: Petr Simecek, Stanislav Fort and Pavel Kohout (discovery), Petr Simecek (fix) === CVE-2026-22801 === Integer truncation causing heap buffer over-read in png_image_write_* Security advisory: https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 Remediation commit: https://github.com/pnggroup/libpng/commit/cf155de014 CVSS 3.1: 6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CWE: CWE-125 (Out-of-bounds Read), CWE-190 (Integer Overflow or Wraparound) Affected: libpng 1.6.26 through 1.6.53 Fixed: libpng 1.6.54 The simplified write API functions png_write_image_16bit and png_write_image_8bit cast ptrdiff_t row_bytes to png_uint_16 before pointer arithmetic. This truncation causes heap buffer over-read when the caller provides a negative row stride (for bottom-up layouts) or a stride exceeding 65535 bytes. Impact: - Information disclosure (low): over-read may expose heap data in output - Denial of service (high): infinite loop or crash from reading unmapped memory Applications using default stride with images narrower than 65535 bytes per row and top-down layout are NOT affected. Credit: Cosmin Truta (discovery and fix) === References === - GitHub Issue (CVE-2026-22695): https://github.com/pnggroup/libpng/issues/778 - libpng homepage: http://www.libpng.org/pub/png/libpng.html --- Cosmin Truta libpng maintainer
