CVE-2026-22695: When Fixing a Buffer Overflow Creates a Buffer Over-read
Jan 23, 2026·5 min read·14 visits
Executive Summary (TL;DR)
Developers fixed a heap overflow in libpng (CVE-2025-65018) but accidentally introduced a heap over-read. By confusing the destination 'stride' with the source 'width' during a `memcpy` operation, the library reads out-of-bounds. This is triggered by interlaced 16-bit PNGs and can result in immediate crashes (via negative strides) or heap memory disclosure.
A regression in libpng's simplified API allows for a heap-based buffer over-read. Introduced while fixing a previous vulnerability, this flaw permits attackers to trigger a Denial of Service or potentially leak heap memory by manipulating the row stride in 16-bit interlaced PNGs.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
libpng PNG Reference Library Group | >= 1.6.51, <= 1.6.53 | 1.6.54 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-125 (Out-of-bounds Read) |
| CVSS v3.1 | 6.1 (Medium) |
| Attack Vector | Local / User Interaction (File Open) |
| Impact | Information Disclosure / Denial of Service |
| EPSS Score | 0.00018 |
| Affected Component | png_image_read_direct_scaled |
MITRE ATT&CK Mapping
The software reads data past the end, or before the beginning, of the intended buffer.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.