Pixel Imperfect: The libpng Integer Truncation Vulnerability
Jan 23, 2026·7 min read·25 visits
Executive Summary (TL;DR)
Between versions 1.6.26 and 1.6.53, libpng's simplified write API contains a nasty integer truncation bug. When handling large row strides (images wider than ~16k pixels in 16-bit mode) or negative strides (common in BMP conversion), an explicit cast to `png_uint_16` chops off the high bits. This causes the library to miscalculate memory offsets, reading out-of-bounds heap data and potentially writing it into the output PNG or crashing the application. Fixed in 1.6.54.
A classic integer truncation vulnerability in the widespread libpng library enables heap buffer over-reads. Hidden within the 'simplified' write API, this 10-year-old bug punishes developers for ignoring compiler warnings the wrong way, turning wide images into memory leaks.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
libpng PNG Group | >= 1.6.26, <= 1.6.53 | 1.6.54 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-190 (Integer Truncation) |
| Attack Vector | Local / Context-Dependent |
| CVSS v3.1 | 6.8 (Medium) |
| Impact | Heap Over-read (Info Leak) / DoS |
| Affected Component | Simplified Write API (png_write_image_*) |
| Fix Version | 1.6.54 |
MITRE ATT&CK Mapping
The software performs an integer calculation that can produce an integer overflow or wraparound, causing the program to use the wrong value for memory offsets.
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.