Bug 2451819 (CVE-2026-33636)

Summary: CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, caswilli, fferrari, gotiwari, jgrulich, jhorak, kaycoth, khosford, kshier, mtorre, mvyas, pjindal, stcannon, teagle, tfitzsim, tpopela, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libpng. A remote attacker could exploit an out-of-bounds read and write vulnerability in the ARM/AArch64 Neon-optimized palette expansion path. This occurs when processing a final partial chunk of 8-bit paletted rows without verifying sufficient input pixels, leading to dereferencing pointers before the start of the row buffer and writing expanded pixel data to underflowed positions. This flaw can result in information disclosure and denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452107, 2452108, 2452110, 2452121, 2452122, 2452123, 2452124, 2452125, 2452128, 2452130, 2452131, 2452133, 2452111, 2452112, 2452113, 2452114, 2452115, 2452116, 2452117, 2452118, 2452119, 2452120, 2452129, 2452132    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-26 18:03:16 UTC
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

Comment 2 errata-xmlrpc 2026-04-13 02:19:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7672 https://access.redhat.com/errata/RHSA-2026:7672

Comment 3 errata-xmlrpc 2026-04-13 02:23:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7671 https://access.redhat.com/errata/RHSA-2026:7671

Comment 4 errata-xmlrpc 2026-04-14 11:32:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:8052 https://access.redhat.com/errata/RHSA-2026:8052

Comment 5 errata-xmlrpc 2026-04-16 12:51:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:8459 https://access.redhat.com/errata/RHSA-2026:8459

Comment 6 errata-xmlrpc 2026-04-21 15:02:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:9345 https://access.redhat.com/errata/RHSA-2026:9345

Comment 7 errata-xmlrpc 2026-04-22 07:35:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:9638 https://access.redhat.com/errata/RHSA-2026:9638

Comment 8 errata-xmlrpc 2026-04-29 15:42:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:11805 https://access.redhat.com/errata/RHSA-2026:11805

Comment 9 errata-xmlrpc 2026-04-29 16:09:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:11813 https://access.redhat.com/errata/RHSA-2026:11813

Comment 10 errata-xmlrpc 2026-04-30 11:49:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:12264 https://access.redhat.com/errata/RHSA-2026:12264

Comment 11 errata-xmlrpc 2026-05-04 06:02:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:13342 https://access.redhat.com/errata/RHSA-2026:13342

Comment 12 errata-xmlrpc 2026-05-04 12:04:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:13412 https://access.redhat.com/errata/RHSA-2026:13412

Comment 13 errata-xmlrpc 2026-05-04 15:51:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:13533 https://access.redhat.com/errata/RHSA-2026:13533

Comment 14 errata-xmlrpc 2026-05-05 06:30:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:13596 https://access.redhat.com/errata/RHSA-2026:13596

Comment 15 errata-xmlrpc 2026-05-05 06:32:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:13582 https://access.redhat.com/errata/RHSA-2026:13582

Comment 16 errata-xmlrpc 2026-05-05 06:38:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:13583 https://access.redhat.com/errata/RHSA-2026:13583

Comment 17 errata-xmlrpc 2026-05-05 06:48:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:13600 https://access.redhat.com/errata/RHSA-2026:13600

Comment 18 errata-xmlrpc 2026-05-05 09:25:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:13665 https://access.redhat.com/errata/RHSA-2026:13665

Comment 19 errata-xmlrpc 2026-05-05 10:14:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:13682 https://access.redhat.com/errata/RHSA-2026:13682

Comment 20 errata-xmlrpc 2026-05-05 10:20:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:13683 https://access.redhat.com/errata/RHSA-2026:13683

Comment 21 errata-xmlrpc 2026-05-06 07:07:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:13922 https://access.redhat.com/errata/RHSA-2026:13922

Comment 22 errata-xmlrpc 2026-05-06 11:36:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:13977 https://access.redhat.com/errata/RHSA-2026:13977

Comment 23 errata-xmlrpc 2026-05-06 16:54:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:14223 https://access.redhat.com/errata/RHSA-2026:14223

Comment 24 errata-xmlrpc 2026-05-06 19:18:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:14303 https://access.redhat.com/errata/RHSA-2026:14303

Comment 25 errata-xmlrpc 2026-05-07 13:24:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:14790 https://access.redhat.com/errata/RHSA-2026:14790

Comment 26 errata-xmlrpc 2026-05-07 15:46:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:14791 https://access.redhat.com/errata/RHSA-2026:14791

Comment 27 errata-xmlrpc 2026-05-11 01:32:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:15889 https://access.redhat.com/errata/RHSA-2026:15889

Comment 29 errata-xmlrpc 2026-05-14 10:59:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:17524 https://access.redhat.com/errata/RHSA-2026:17524

Comment 30 errata-xmlrpc 2026-05-14 12:58:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:17567 https://access.redhat.com/errata/RHSA-2026:17567

Comment 31 errata-xmlrpc 2026-05-14 14:17:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:17603 https://access.redhat.com/errata/RHSA-2026:17603

Comment 32 errata-xmlrpc 2026-05-14 15:46:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:17642 https://access.redhat.com/errata/RHSA-2026:17642

Comment 33 errata-xmlrpc 2026-05-14 18:53:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:17685 https://access.redhat.com/errata/RHSA-2026:17685

Comment 35 errata-xmlrpc 2026-06-23 17:25:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:28233 https://access.redhat.com/errata/RHSA-2026:28233

Comment 36 errata-xmlrpc 2026-06-23 22:04:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:28255 https://access.redhat.com/errata/RHSA-2026:28255