CVE-2026-22801
Published: 12 January 2026
Summary
CVE-2026-22801 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Libpng Libpng. Its CVSS base score is 6.8 (Medium).
Operationally, ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22801 is an integer truncation vulnerability (CWE-190) in the LIBPNG reference library for reading, creating, and manipulating PNG image files, leading to a heap buffer over-read (CWE-125). It affects versions 1.6.26 through 1.6.53 in the simplified write API functions png_write_image_16bit and png_write_image_8bit. The flaw triggers when callers provide a negative row stride for bottom-up image layouts or a stride exceeding 65535 bytes, and it was introduced in version 1.6.26 by casts added to silence compiler warnings on 16-bit systems. The vulnerability has a CVSS v3.1 base score of 6.8 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).
A local attacker can exploit this issue with low attack complexity, requiring no privileges or user interaction. Exploitation involves passing malformed stride values to the affected functions, resulting in a heap buffer over-read that causes high availability impact through application crashes or denial of service, alongside low confidentiality impact from potential limited memory disclosure.
The vulnerability is addressed in libpng version 1.6.54. Additional details on the issue and patch are available in the GitHub security advisory at https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2416
Vulnerability details
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit…
more
causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of row-stride parameters passed to png_write_image_* before they reach the integer-truncation logic.
Requires prompt application of the libpng 1.6.54 patch that removes the erroneous casts causing the truncation.
Provides memory-protection mechanisms that can contain or block the heap buffer over-read resulting from malformed strides.