CVE-2026-40930
LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue.
| CWE | CWE-436 |
| Vendor | pnggroup |
| Product | libpng |
| Published | Jun 4, 2026 |
| Last Updated | Jun 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for pnggroup libpng
Be the first to know when new medium vulnerabilities affecting pnggroup libpng are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Affected Versions
pnggroup / libpng
= 1.8.0
pnggroup / libpng-apng
>= 1.6.49, <= 1.6.57