Libpng
Products by Libpng Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Libpng . Last year Libpng had 1 security vulnerability published. Right now, Libpng is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 1 | 5.50 |
| 2022 | 2 | 6.65 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 3.30 |
| 2019 | 4 | 7.60 |
| 2018 | 2 | 6.50 |
It may take a day or so for new Libpng vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Libpng Security Vulnerabilities
A flaw was found in libpng 1.6.38
CVE-2022-3857
5.5 - Medium
- March 06, 2023
A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.
NULL Pointer Dereference
A heap overflow flaw was found in libpngs' pngimage.c program
CVE-2021-4214
5.5 - Medium
- August 24, 2022
A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.
Classic Buffer Overflow
A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied)
CVE-2020-35511
7.8 - High
- August 23, 2022
A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file.
Buffer Over-read
A flaw was found in the check_chunk_name() function of pngcheck-2.4.0
CVE-2020-27818
3.3 - Low
- December 08, 2020
A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. An attacker able to pass a malicious file to be processed by pngcheck could cause a temporary denial of service, posing a low risk to application availability.
Out-of-bounds Read
libpng before 1.6.32 does not properly check the length of chunks against the user limit.
CVE-2017-12652
9.8 - Critical
- July 10, 2019
libpng before 1.6.32 does not properly check the length of chunks against the user limit.
Improper Input Validation
An issue has been found in third-party PNM decoding associated with libpng 1.6.35
CVE-2018-14550
8.8 - High
- July 10, 2019
An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.
Memory Corruption
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free
CVE-2019-7317
5.3 - Medium
- February 04, 2019
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Dangling pointer
png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp
CVE-2019-6129
6.5 - Medium
- January 11, 2019
png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer.
Memory Leak
An issue has been found in libpng 1.6.34
CVE-2018-14048
6.5 - Medium
- July 13, 2018
An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.
In libpng 1.6.34
CVE-2018-13785
6.5 - Medium
- July 09, 2018
In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.
Divide By Zero
The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27
CVE-2016-10087
7.5 - High
- January 30, 2017
The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.
NULL Pointer Dereference
Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26
CVE-2015-8540
8.8 - High
- April 14, 2016
Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.
Numeric Errors
Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19
CVE-2015-8126
- November 13, 2015
Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.
Classic Buffer Overflow
Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5
CVE-2009-5063
- August 31, 2011
Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length. NOTE: this is due to an incomplete fix for CVE-2006-7244.
Memory Leak
The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image
CVE-2011-2692
8.8 - High
- July 17, 2011
The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.
Buffer Overflow
The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which
CVE-2011-2691
6.5 - Medium
- July 17, 2011
The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.
NULL Pointer Dereference
Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application
CVE-2011-2690
8.8 - High
- July 17, 2011
Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.
Classic Buffer Overflow
The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image
CVE-2011-2501
6.5 - Medium
- July 17, 2011
The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.
Out-of-bounds Read
Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3
CVE-2010-2249
6.5 - Medium
- June 30, 2010
Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks.
Memory Leak
Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image
CVE-2010-1205
9.8 - Critical
- June 30, 2010
Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.
Classic Buffer Overflow