[SECURITY] [DLA 4481-1] libpng1.6 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4481-1] libpng1.6 security update
From: Tobias Frost <tobi@debian.org>
Date: Tue, 17 Feb 2026 19:25:10 +0100
Message-id: <[🔎] aZSyhlWwnAC_wBXu@isildor2.loewenhoehle.ip>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4481-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
February 17, 2026                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : libpng1.6
Version        : 1.6.37-3+deb11u2
CVE ID         : CVE-2026-22695 CVE-2026-22801 CVE-2026-25646
Debian Bug     : 1125443 1125444 1127566

Multiple vulnerabilties have been found in libpng, the official PNG
reference library, allowing information disclosure via out-of-bounds
read, denial of service via infinite loop.

CVE-2026-22695

  There is a heap buffer over-read in the libpng simplified API function
  png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit
  output format and non-minimal row stride. This is a regression
  introduced by the fix for CVE-2025-65018.
  
CVE-2026-22801
  
  There is an integer truncation in the libpng simplified write API
  functions png_write_image_16bit and png_write_image_8bit causes heap
  buffer over-read when the caller provides a negative row stride (for
  bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was
  introduced in libpng 1.6.26 (October 2016) by casts added to silence
  compiler warnings on 16-bit systems. 
  
CVE-2026-25646
  
  A out-of-bounds read vulnerability exists in the png_set_quantize() API
  function.  When the function is called with no histogram and the number
  of colors in the palette is more than twice the maximum supported by the
  user's display, certain palettes will cause the function to enter into
  an infinite loop that reads past the end of an internal heap-allocated
  buffer. The images that trigger this vulnerability are valid per the PNG
  specification. 

For Debian 11 bullseye, these problems have been fixed in version
1.6.37-3+deb11u2.

We recommend that you upgrade your libpng1.6 packages.

For the detailed security status of libpng1.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4480-1] roundcube security update
Next by Date: [SECURITY] [DLA 4482-1] ceph security update
Previous by thread: [SECURITY] [DLA 4480-1] roundcube security update
Next by thread: [SECURITY] [DLA 4482-1] ceph security update
Index(es):
- Date
- Thread