What is CVE-2026-22801?

CVE-2026-22801 is a medium-severity vulnerability in Pnggroup Libpng, classified under Out-of-bounds Read. CVSS score: 6.8/10. Published 2026-01-12.

How severe is CVE-2026-22801?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Out-of-bounds Read in Pnggroup Libpng

CVE-2026-22801

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (6.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H.

Affected products

Pnggroup Libpng — versions < 1.6.54

Weakness classification (CWE)

CWE-125 — Out-of-bounds Read
CWE-190 — Integer Overflow or Wraparound

References

https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-22801?: CVE-2026-22801 is a medium-severity vulnerability in Pnggroup Libpng, classified under Out-of-bounds Read. CVSS score: 6.8/10. Published 2026-01-12.
How severe is CVE-2026-22801?: Medium severity. CVSS v3 base score is 6.8 out of 10.