Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-33636

7.6 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): HIGH

created 2 weeks, 5 days ago

LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

References

https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2 x_refsource_CONFIRM
https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869 x_refsource_MISC
https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3 x_refsource_MISC

Affected products

libpng

==>= 1.6.36, < 1.6.56

Matching in nixpkgs

pkgs.libpng

Official reference implementation for the PNG file format with animation patch

nixos-unstable 1.6.55
- nixpkgs-unstable 1.6.55
- nixos-unstable-small 1.6.55
nixos-25.11 1.6.55
- nixos-25.11-small 1.6.55
- nixpkgs-25.11-darwin 1.6.55

pkgs.libpng12

Official reference implementation for the PNG file format

nixos-unstable 1.2.59
- nixpkgs-unstable 1.2.59
- nixos-unstable-small 1.2.59
nixos-25.11 1.2.59
- nixos-25.11-small 1.2.59
- nixpkgs-25.11-darwin 1.2.59

pkgs.perlPackages.ImagePNGLibpng

Perl interface to libpng

nixos-unstable 0.59
- nixpkgs-unstable 0.59
- nixos-unstable-small 0.59
nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.perl5Packages.ImagePNGLibpng

Perl interface to libpng

nixos-unstable 0.59
- nixpkgs-unstable 0.59
- nixos-unstable-small 0.59

pkgs.perl538Packages.ImagePNGLibpng

Perl interface to libpng

nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.perl540Packages.ImagePNGLibpng

Perl interface to libpng

nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.tests.pkg-config.defaultPkgConfigPackages.libpng

Test whether libpng-apng-1.6.46 exposes pkg-config modules libpng

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

Package maintainers

@vcunat Vladimír Čunát <v@cunat.cz>