VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ptgq-884e-mkft

Essentials
Severities (22)
References (19)
Severity details (8)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ptgq-884e-mkft
Aliases	CVE-2026-33636
Summary	libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-124	Buffer Underwrite ('Buffer Underflow')
CWE-125	Out-of-bounds Read
CWE-787	Out-of-bounds Write

System	Score	Found at
cvssv3	7.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00035	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-33636
cvssv3.1	8.6	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	7.6	https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
ssvc	Track	https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
cvssv3.1	7.6	https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
ssvc	Track	https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
cvssv3.1	7.6	https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
ssvc	Track	https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-33636
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33636
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1132013		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132013
2451819		https://bugzilla.redhat.com/show_bug.cgi?id=2451819
7734cda20cf1236aef60f3bbd2267c97bbb40869		https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869
aba9f18eba870d14fb52c5ba5d73451349e339c3		https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
GHSA-wjr5-c57x-95m2		https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
RHSA-2026:6732		https://access.redhat.com/errata/RHSA-2026:6732
RHSA-2026:7671		https://access.redhat.com/errata/RHSA-2026:7671
RHSA-2026:7672		https://access.redhat.com/errata/RHSA-2026:7672
RHSA-2026:8052		https://access.redhat.com/errata/RHSA-2026:8052
RHSA-2026:8459		https://access.redhat.com/errata/RHSA-2026:8459
RHSA-2026:9254		https://access.redhat.com/errata/RHSA-2026:9254
RHSA-2026:9255		https://access.redhat.com/errata/RHSA-2026:9255
RHSA-2026:9345		https://access.redhat.com/errata/RHSA-2026:9345
RHSA-2026:9638		https://access.redhat.com/errata/RHSA-2026:9638
RHSA-2026:9693		https://access.redhat.com/errata/RHSA-2026:9693

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-26T18:45:14Z/ Found at https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-26T18:45:14Z/ Found at https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-26T18:45:14Z/ Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

Exploit Prediction Scoring System (EPSS)

Percentile	0.09521
EPSS Score	0.00033
Published At	April 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:30:14.666751+00:00	RedHat Importer	Import	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json	38.0.0