CVE-2026-3713

NameCVE-2026-3713
DescriptionA flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpng1.6 (PTS)bullseye1.6.37-3vulnerable
bullseye (security)1.6.37-3+deb11u2vulnerable
bookworm1.6.39-2+deb12u1vulnerable
bookworm (security)1.6.39-2+deb12u3vulnerable
trixie1.6.48-1+deb13u1vulnerable
trixie (security)1.6.48-1+deb13u3vulnerable
forky, sid1.6.55-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpng1.6source(unstable)(unfixed)unimportant

Notes

https://github.com/pnggroup/libpng/issues/794
contrib/pngminus/pnm2png.c not built in binary packages
Search for package or bug name: Reporting problems