{ "threat_severity" : "Moderate", "public_date" : "2026-03-08T06:02:11Z", "bugzilla" : { "description" : "libpng: libpng: Heap-based buffer overflow in pnm2png allows information disclosure and denial of service", "id" : "2445566", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2445566" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-131", "details" : [ "A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.", "A flaw was found in libpng. A local attacker could exploit this vulnerability by manipulating the width/height arguments in the `do_pnm2png` function of the `pnm2png` component. This manipulation causes a heap-based buffer overflow, which could lead to information disclosure and denial of service (DoS)." ], "statement" : "This MODERATE impact heap-based buffer overflow in the `pnm2png` utility of libpng requires local execution to exploit.\nThe libpng packages shipped with Red Hat Enterprise Linux are not affected by this vulnerability.\nThe issue originates from the pnm2png utility present in the upstream libpng source tree under the contrib/pngminus/ directory. This component is not part of the libpng build process in RHEL, is not included in the packaging specification, and is not present in any shipped binary RPMs.", "affected_release" : [ { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-07T00:00:00Z", "advisory" : "RHSA-2026:6732", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "libpng-main-1.6.56-1.hum1" } ], "package_state" : [ { "product_name" : "Red Hat build of OpenJDK 11 ELS", "fix_state" : "Not affected", "package_name" : "java-11-openjdk", "cpe" : "cpe:/a:redhat:openjdk_els:11" }, { "product_name" : "Red Hat build of OpenJDK 11 ELS", "fix_state" : "Not affected", "package_name" : "java-11-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk_els:11" }, { "product_name" : "Red Hat build of OpenJDK 17", "fix_state" : "Not affected", "package_name" : "java-17-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:17" }, { "product_name" : "Red Hat build of OpenJDK 1.8", "fix_state" : "Not affected", "package_name" : "java-1.8.0-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:1.8" }, { "product_name" : "Red Hat build of OpenJDK 21", "fix_state" : "Not affected", "package_name" : "java-21-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:21" }, { "product_name" : "Red Hat build of OpenJDK 25", "fix_state" : "Not affected", "package_name" : "java-25-openjdk-portable", "cpe" : "cpe:/a:redhat:openjdk:25" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "java-21-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "java-25-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "libpng", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "libpng", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "libpng", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "libpng12", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "java-17-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "java-1.8.0-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "java-21-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "libpng", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "libpng12", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "libpng15", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "mingw-libpng", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "java-17-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "java-1.8.0-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "java-21-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "java-25-openjdk", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "libpng", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "libpng15", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "rhcos", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-3713\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3713\nhttps://github.com/biniamf/pocs/tree/main/pnm2png\nhttps://github.com/pnggroup/libpng/\nhttps://github.com/pnggroup/libpng/issues/794\nhttps://vuldb.com/?ctiid.349658\nhttps://vuldb.com/?id.349658\nhttps://vuldb.com/?submit.761996" ], "name" : "CVE-2026-3713", "mitigation" : { "value" : "To mitigate this vulnerability, avoid processing untrusted image data with the `pnm2png` utility. Restrict execution of `pnm2png` to trusted users and ensure that only trusted image files are processed.", "lang" : "en:us" }, "csaw" : false }