Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-26ny-2nf5-33d9
Vulnerability ID VCID-26ny-2nf5-33d9
Aliases CVE-2026-33636
Summary libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-124 Buffer Underwrite ('Buffer Underflow')
CWE-125 Out-of-bounds Read
CWE-787 Out-of-bounds Write
System Score Found at
cvssv3 7.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2026-33636
cvssv3.1 8.6 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.6 https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
ssvc Track https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
cvssv3.1 7.6 https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
ssvc Track https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
cvssv3.1 7.6 https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
ssvc Track https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json
https://api.first.org/data/v1/epss?cve=CVE-2026-33636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33636
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1132013 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132013
2451819 https://bugzilla.redhat.com/show_bug.cgi?id=2451819
7734cda20cf1236aef60f3bbd2267c97bbb40869 https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
aba9f18eba870d14fb52c5ba5d73451349e339c3 https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
GHSA-wjr5-c57x-95m2 https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
RHSA-2026:11805 https://access.redhat.com/errata/RHSA-2026:11805
RHSA-2026:11813 https://access.redhat.com/errata/RHSA-2026:11813
RHSA-2026:12264 https://access.redhat.com/errata/RHSA-2026:12264
RHSA-2026:13342 https://access.redhat.com/errata/RHSA-2026:13342
RHSA-2026:13412 https://access.redhat.com/errata/RHSA-2026:13412
RHSA-2026:13533 https://access.redhat.com/errata/RHSA-2026:13533
RHSA-2026:13582 https://access.redhat.com/errata/RHSA-2026:13582
RHSA-2026:13583 https://access.redhat.com/errata/RHSA-2026:13583
RHSA-2026:13596 https://access.redhat.com/errata/RHSA-2026:13596
RHSA-2026:13600 https://access.redhat.com/errata/RHSA-2026:13600
RHSA-2026:13665 https://access.redhat.com/errata/RHSA-2026:13665
RHSA-2026:13682 https://access.redhat.com/errata/RHSA-2026:13682
RHSA-2026:13683 https://access.redhat.com/errata/RHSA-2026:13683
RHSA-2026:13922 https://access.redhat.com/errata/RHSA-2026:13922
RHSA-2026:13977 https://access.redhat.com/errata/RHSA-2026:13977
RHSA-2026:14223 https://access.redhat.com/errata/RHSA-2026:14223
RHSA-2026:14303 https://access.redhat.com/errata/RHSA-2026:14303
RHSA-2026:14790 https://access.redhat.com/errata/RHSA-2026:14790
RHSA-2026:14791 https://access.redhat.com/errata/RHSA-2026:14791
RHSA-2026:15889 https://access.redhat.com/errata/RHSA-2026:15889
RHSA-2026:17524 https://access.redhat.com/errata/RHSA-2026:17524
RHSA-2026:17567 https://access.redhat.com/errata/RHSA-2026:17567
RHSA-2026:17603 https://access.redhat.com/errata/RHSA-2026:17603
RHSA-2026:17642 https://access.redhat.com/errata/RHSA-2026:17642
RHSA-2026:17685 https://access.redhat.com/errata/RHSA-2026:17685
RHSA-2026:6732 https://access.redhat.com/errata/RHSA-2026:6732
RHSA-2026:7671 https://access.redhat.com/errata/RHSA-2026:7671
RHSA-2026:7672 https://access.redhat.com/errata/RHSA-2026:7672
RHSA-2026:8052 https://access.redhat.com/errata/RHSA-2026:8052
RHSA-2026:8459 https://access.redhat.com/errata/RHSA-2026:8459
RHSA-2026:9254 https://access.redhat.com/errata/RHSA-2026:9254
RHSA-2026:9255 https://access.redhat.com/errata/RHSA-2026:9255
RHSA-2026:9345 https://access.redhat.com/errata/RHSA-2026:9345
RHSA-2026:9638 https://access.redhat.com/errata/RHSA-2026:9638
RHSA-2026:9693 https://access.redhat.com/errata/RHSA-2026:9693
USN-8251-1 https://usn.ubuntu.com/8251-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-26T18:45:14Z/ Found at https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-26T18:45:14Z/ Found at https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-26T18:45:14Z/ Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
Exploit Prediction Scoring System (EPSS)
Percentile 0.14165
EPSS Score 0.00045
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:41:43.316368+00:00 RedHat Importer Import https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json 38.6.0