Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-3713

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

updated 1 week, 6 days ago by @mweinelt Activity log

Created automatic suggestion 1 week, 6 days ago
@mweinelt removed
6 packages
- libpng12
- perlPackages.ImagePNGLibpng
- perl5Packages.ImagePNGLibpng
- perl538Packages.ImagePNGLibpng
- perl540Packages.ImagePNGLibpng
- tests.pkg-config.defaultPkgConfigPackages.libpng
1 week, 6 days ago
@mweinelt dismissed 1 week, 6 days ago

pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow

A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-349658 | pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow vdb-entry technical-description
VDB-349658 | CTI Indicators (IOB, IOC, IOA) signature permissions-required
Submit #761996 | libpng pnm2png 1.8.0 Integer Overflow to Buffer Overflow third-party-advisory
https://github.com/pnggroup/libpng/issues/794 issue-tracking
https://github.com/biniamf/pocs/tree/main/pnm2png exploit
https://github.com/pnggroup/libpng/ product

Affected products

libpng

==1.6.9
==1.6.28
==1.6.39
==1.6.29
==1.6.45
==1.6.55
==1.6.32
==1.6.19
==1.6.5
==1.6.34
==1.6.35
==1.6.17
==1.6.21
==1.6.33
==1.6.3
==1.6.4
==1.6.15
==1.6.22
==1.6.23
==1.6.37
==1.6.53
==1.6.7
==1.6.30
==1.6.51
==1.6.10
==1.6.2
==1.6.12
==1.6.6
==1.6.48
==1.6.16
==1.6.0
==1.6.8
==1.6.25
==1.6.52
==1.6.13
==1.6.41
==1.6.20
==1.6.1
==1.6.50
==1.6.40
==1.6.46
==1.6.36
==1.6.11
==1.6.27
==1.6.18
==1.6.47
==1.6.49
==1.6.26
==1.6.24
==1.6.38
==1.6.14
==1.6.44
==1.6.54
==1.6.31
==1.6.42
==1.6.43

Matching in nixpkgs

pkgs.libpng

Official reference implementation for the PNG file format with animation patch

nixos-unstable 1.6.55
- nixpkgs-unstable 1.6.55
- nixos-unstable-small 1.6.55
nixos-25.11 1.6.55
- nixos-25.11-small 1.6.55
- nixpkgs-25.11-darwin 1.6.55

Ignored packages (6)

pkgs.libpng12

Official reference implementation for the PNG file format

nixos-unstable 1.2.59
- nixpkgs-unstable 1.2.59
- nixos-unstable-small 1.2.59
nixos-25.11 1.2.59
- nixos-25.11-small 1.2.59
- nixpkgs-25.11-darwin 1.2.59

pkgs.perlPackages.ImagePNGLibpng

Perl interface to libpng

nixos-unstable 0.59
- nixpkgs-unstable 0.59
- nixos-unstable-small 0.59
nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.perl5Packages.ImagePNGLibpng

Perl interface to libpng

nixos-unstable 0.59
- nixpkgs-unstable 0.59
- nixos-unstable-small 0.59

pkgs.perl538Packages.ImagePNGLibpng

Perl interface to libpng

nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.perl540Packages.ImagePNGLibpng

Perl interface to libpng

nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.tests.pkg-config.defaultPkgConfigPackages.libpng

Test whether libpng-apng-1.6.46 exposes pkg-config modules libpng

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

Package maintainers

@vcunat Vladimír Čunát <v@cunat.cz>

Only in contrib, not built in our packages.

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.libpng

pkgs.libpng12

pkgs.perlPackages.ImagePNGLibpng

pkgs.perl5Packages.ImagePNGLibpng

pkgs.perl538Packages.ImagePNGLibpng

pkgs.perl540Packages.ImagePNGLibpng

pkgs.tests.pkg-config.defaultPkgConfigPackages.libpng

Package maintainers