{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T17:38:16.857","vulnerabilities":[{"cve":{"id":"CVE-2026-33636","sourceIdentifier":"security-advisories@github.com","published":"2026-03-26T17:16:41.477","lastModified":"2026-04-02T18:42:02.667","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue."},{"lang":"es","value":"LIBPNG es una biblioteca de referencia para uso en aplicaciones que leen, crean y manipulan archivos de imagen ráster PNG (Portable Network Graphics). En las versiones 1.6.36 a 1.6.55, existe una lectura y escritura fuera de límites en la ruta de expansión de paleta optimizada para Neon de ARM/AArch64 de libpng. Al expandir filas paletizadas de 8 bits a RGB o RGBA, el bucle Neon procesa un fragmento parcial final sin verificar que queden suficientes píxeles de entrada. Debido a que la implementación funciona hacia atrás desde el final de la fila, la iteración final desreferencia punteros antes del inicio del búfer de fila (lectura OOB) y escribe datos de píxeles expandidos en las mismas posiciones de desbordamiento inferior (escritura OOB). Esto es alcanzable a través de la decodificación normal de entrada PNG controlada por el atacante si Neon está habilitado. La versión 1.6.56 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-125"},{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*","versionStartIncluding":"1.6.36","versionEndExcluding":"1.6.56","matchCriteriaId":"CF5DCAF0-FA3A-48A5-857E-C3D960A27025"}]}]}],"references":[{"url":"https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2","source":"security-advisories@github.com","tags":["Vendor Advisory","Patch"]}]}}]}