Bug 2460045 (CVE-2026-22020) - CVE-2026-22020 openjdk: Update LibPNG (Oracle CPU 2026-04)
Summary: CVE-2026-22020 openjdk: Update LibPNG (Oracle CPU 2026-04)
Keywords:
Status: NEW
Alias: CVE-2026-22020
Deadline: 2026-04-21
Product: Security Response
Classification: Other
Component: vulnerability-draft
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2460609 2460610 2460611 2460612 2460613 2460614 2460615 2460618 2460620 2460623 2460628 2460630 2460635 2460625 2460633
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-21 10:08 UTC by OSIDB Bzimport
Modified: 2026-06-09 16:11 UTC (History)
22 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-21 10:08:35 UTC 
LibPNG has several reported CVEs and needs to be updated.
Comment 2 Michal Findra 2026-04-23 09:03:23 UTC 
This CVE was fixed in Oracle Java SE 8u491, 11.0.31, 17.0.19, 21.0.11, 25.0.3. 

https://www.oracle.com/java/technologies/javase/8u491-relnotes.html#R180_491
https://www.oracle.com/java/technologies/javase/11-0-31-relnotes.html#R11_0_31
https://www.oracle.com/java/technologies/javase/17-0-19-relnotes.html#R17_0_19
https://www.oracle.com/java/technologies/javase/21-0-11-relnotes.html
https://www.oracle.com/java/technologies/javase/25-0-3-relnotes.html
Comment 3 Thiago Osório 2026-05-27 17:39:54 UTC 
Hi, team. I hope you're doing well. 

  Do we have an ETA for the fix for this CVE-2026-22020 vulnerability to the Red Hat build of OpenJDK 21?

  Regards.
Comment 11 Mauro Matteo Cascella 2026-06-09 16:11:18 UTC 
This is a bogus CVE that has been officially rejected by Red Hat.
Note You need to log in before you can comment on or make changes to this bug.