Cyber Resilience

CVE-2026-22801

Medium

Published: 12 January 2026

Published
12 January 2026
Modified
21 January 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0001 2.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22801 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Libpng Libpng. Its CVSS base score is 6.8 (Medium).

Operationally, ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22801 is an integer truncation vulnerability (CWE-190) in the LIBPNG reference library for reading, creating, and manipulating PNG image files, leading to a heap buffer over-read (CWE-125). It affects versions 1.6.26 through 1.6.53 in the simplified write API functions png_write_image_16bit and png_write_image_8bit. The flaw triggers when callers provide a negative row stride for bottom-up image layouts or a stride exceeding 65535 bytes, and it was introduced in version 1.6.26 by casts added to silence compiler warnings on 16-bit systems. The vulnerability has a CVSS v3.1 base score of 6.8 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).

A local attacker can exploit this issue with low attack complexity, requiring no privileges or user interaction. Exploitation involves passing malformed stride values to the affected functions, resulting in a heap buffer over-read that causes high availability impact through application crashes or denial of service, alongside low confidentiality impact from potential limited memory disclosure.

The vulnerability is addressed in libpng version 1.6.54. Additional details on the issue and patch are available in the GitHub security advisory at https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8.

EU & UK References

Vulnerability details

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit…

more

causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22695Same product: Libpng Libpng
CVE-2026-33636Same product: Libpng Libpng
CVE-2026-25646Same product: Libpng Libpng
CVE-2026-33416Same product: Libpng Libpng
CVE-2026-43618Shared CWE-125, CWE-190
CVE-2026-33019Shared CWE-125, CWE-190
CVE-2026-28231Shared CWE-125, CWE-190
CVE-2026-43909Shared CWE-125, CWE-190
CVE-2026-28693Shared CWE-125, CWE-190
CVE-2026-33642Shared CWE-125, CWE-190

Affected Assets

libpng
libpng
1.6.26 — 1.6.54

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of row-stride parameters passed to png_write_image_* before they reach the integer-truncation logic.

prevent

Requires prompt application of the libpng 1.6.54 patch that removes the erroneous casts causing the truncation.

prevent

Provides memory-protection mechanisms that can contain or block the heap buffer over-read resulting from malformed strides.

References