Cyber Resilience

CVE-2026-33636

High

Published: 26 March 2026

Published
26 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
EPSS Score 0.0005 16.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33636 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Libpng Libpng. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-33636 is an out-of-bounds read and write vulnerability in the LIBPNG reference library, which applications use to read, create, and manipulate PNG raster image files. The flaw affects versions 1.6.36 through 1.6.55 and occurs in the ARM/AArch64 Neon-optimized palette expansion path. Specifically, when expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying sufficient input pixels remain. Because the implementation processes backward from the row's end, this leads to dereferencing pointers before the start of the row buffer (out-of-bounds read, CWE-125) and writing expanded pixel data to those underflowed positions (out-of-bounds write, CWE-787). The issue is reachable through normal decoding of attacker-controlled PNG input when Neon optimizations are enabled.

Attackers can exploit this vulnerability remotely over the network with no privileges required, though user interaction is necessary, such as convincing a user to open a malicious PNG file in an affected application. Successful exploitation yields low confidentiality and integrity impacts alongside high availability impact, as scored at CVSS 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H). On ARM/AArch64 systems with Neon enabled, decoding the crafted image triggers the out-of-bounds access, potentially leading to application crashes, denial of service, or limited data exposure and corruption depending on the context and mitigations like ASLR.

The libpng security advisory (GHSA-wjr5-c57x-95m2) and associated fix commits detail mitigation by upgrading to version 1.6.56, which addresses the bounds checking deficiency in the Neon palette expansion loop. The primary patches are available in GitHub commits 7734cda20cf1236aef60f3bbd2267c97bbb40869 and aba9f18eba870d14fb52c5ba5d73451349e339c3. Security practitioners should audit dependencies for vulnerable libpng versions, especially in image-processing software on ARM/AArch64 platforms, and consider disabling Neon optimizations if patching is delayed.

EU & UK References

Vulnerability details

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When…

more

expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds memory corruption in client-side PNG decoding is triggered by a user opening a malicious file (T1204.002), directly enabling client application exploitation (T1203) that produces application crashes/DoS via memory corruption (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22695Same product: Libpng Libpng
CVE-2026-22801Same product: Libpng Libpng
CVE-2026-25646Same product: Libpng Libpng
CVE-2026-33416Same product: Libpng Libpng
CVE-2026-5735Shared CWE-125, CWE-787
CVE-2026-27692Shared CWE-125, CWE-787
CVE-2026-9910Shared CWE-125, CWE-787
CVE-2026-34987Shared CWE-125, CWE-787
CVE-2026-3920Shared CWE-125, CWE-787
CVE-2026-9889Shared CWE-125, CWE-787

Affected Assets

libpng
libpng
1.6.36 — 1.6.56

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing the OOB read/write vulnerability by mandating upgrades to the fixed libpng version 1.6.56.

prevent

SI-16 implements memory protections like ASLR and non-executable memory that mitigate exploitation of the out-of-bounds read/write in libpng's Neon palette expansion.

detect

RA-5 enables vulnerability scanning to identify systems and dependencies using vulnerable libpng versions 1.6.36 through 1.6.55.

References