Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-7qam-er5a-gbas
Vulnerability ID VCID-7qam-er5a-gbas
Aliases CVE-2026-22801
Summary libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API
Status Published
Exploitability 0.5
Weighted Severity 6.1
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-125 Out-of-bounds Read
CWE-190 Integer Overflow or Wraparound
System Score Found at
cvssv3 6.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22801.json
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22801
cvssv3.1 6.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 6.8 https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
ssvc Track https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22801.json
https://api.first.org/data/v1/epss?cve=CVE-2026-22801
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22801
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1125444 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125444
2428824 https://bugzilla.redhat.com/show_bug.cgi?id=2428824
GHSA-vgjq-8cw5-ggw8 https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
RHSA-2026:3405 https://access.redhat.com/errata/RHSA-2026:3405
RHSA-2026:3551 https://access.redhat.com/errata/RHSA-2026:3551
RHSA-2026:3573 https://access.redhat.com/errata/RHSA-2026:3573
RHSA-2026:3574 https://access.redhat.com/errata/RHSA-2026:3574
RHSA-2026:3575 https://access.redhat.com/errata/RHSA-2026:3575
RHSA-2026:3576 https://access.redhat.com/errata/RHSA-2026:3576
RHSA-2026:3577 https://access.redhat.com/errata/RHSA-2026:3577
RHSA-2026:4306 https://access.redhat.com/errata/RHSA-2026:4306
RHSA-2026:4501 https://access.redhat.com/errata/RHSA-2026:4501
RHSA-2026:4728 https://access.redhat.com/errata/RHSA-2026:4728
RHSA-2026:4729 https://access.redhat.com/errata/RHSA-2026:4729
RHSA-2026:4730 https://access.redhat.com/errata/RHSA-2026:4730
RHSA-2026:4731 https://access.redhat.com/errata/RHSA-2026:4731
RHSA-2026:4732 https://access.redhat.com/errata/RHSA-2026:4732
RHSA-2026:5606 https://access.redhat.com/errata/RHSA-2026:5606
RHSA-2026:6732 https://access.redhat.com/errata/RHSA-2026:6732
RHSA-2026:8746 https://access.redhat.com/errata/RHSA-2026:8746
RHSA-2026:8747 https://access.redhat.com/errata/RHSA-2026:8747
RHSA-2026:8748 https://access.redhat.com/errata/RHSA-2026:8748
RHSA-2026:9254 https://access.redhat.com/errata/RHSA-2026:9254
RHSA-2026:9255 https://access.redhat.com/errata/RHSA-2026:9255
USN-7963-1 https://usn.ubuntu.com/7963-1/
USN-8035-1 https://usn.ubuntu.com/8035-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22801.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-13T19:37:38Z/ Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
Exploit Prediction Scoring System (EPSS)
Percentile 0.04618
EPSS Score 0.00018
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:32:54.106019+00:00 RedHat Importer Import https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22801.json 38.0.0