Vulnerability-Lookup

WID-SEC-W-2026-0413

Vulnerability from csaf_certbund - Published: 2026-02-12 23:00 - Updated: 2026-02-12 23:00

Summary

Securepoint UTM: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Securepoint UTM-Firewalls vereinen Firewall, Router und Unified Threat Management (UTM) in einem Gerät.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Komponenten von Drittanbietern in Securepoint UTM ausnutzen, um Dateien zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.manipulieren.

Betroffene Betriebssysteme: - Sonstiges

CVE-2025-11411

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Securepoint UTM <14.1.2 Securepoint / UTM		<14.1.2

CVE-2025-13086

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Securepoint UTM <14.1.2 Securepoint / UTM		<14.1.2

CVE-2026-22695

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Securepoint UTM <14.1.2 Securepoint / UTM		<14.1.2

CVE-2026-22801

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Securepoint UTM <14.1.2 Securepoint / UTM		<14.1.2

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://wiki.securepoint.de/UTM/Changelog#Build_1…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Securepoint UTM-Firewalls vereinen Firewall, Router und Unified Threat Management (UTM) in einem Ger\u00e4t.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Komponenten von Drittanbietern in Securepoint UTM ausnutzen, um Dateien zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0413 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0413.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0413 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0413"
      },
      {
        "category": "external",
        "summary": "Securepoint UTM Changelog - Build 14.1.2 vom 2026-02-12",
        "url": "https://wiki.securepoint.de/UTM/Changelog#Build_14.1.2_Beta-Version"
      }
    ],
    "source_lang": "en-US",
    "title": "Securepoint UTM: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-02-12T23:00:00.000+00:00",
      "generator": {
        "date": "2026-02-13T11:37:29.918+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0413",
      "initial_release_date": "2026-02-12T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-02-12T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c14.1.2",
                "product": {
                  "name": "Securepoint UTM \u003c14.1.2",
                  "product_id": "T050906"
                }
              },
              {
                "category": "product_version",
                "name": "14.1.2",
                "product": {
                  "name": "Securepoint UTM 14.1.2",
                  "product_id": "T050906-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:securepoint:unified_threat_management:14.1.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "UTM"
          }
        ],
        "category": "vendor",
        "name": "Securepoint"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-11411",
      "product_status": {
        "known_affected": [
          "T050906"
        ]
      },
      "release_date": "2026-02-12T23:00:00.000+00:00",
      "title": "CVE-2025-11411"
    },
    {
      "cve": "CVE-2025-13086",
      "product_status": {
        "known_affected": [
          "T050906"
        ]
      },
      "release_date": "2026-02-12T23:00:00.000+00:00",
      "title": "CVE-2025-13086"
    },
    {
      "cve": "CVE-2026-22695",
      "product_status": {
        "known_affected": [
          "T050906"
        ]
      },
      "release_date": "2026-02-12T23:00:00.000+00:00",
      "title": "CVE-2026-22695"
    },
    {
      "cve": "CVE-2026-22801",
      "product_status": {
        "known_affected": [
          "T050906"
        ]
      },
      "release_date": "2026-02-12T23:00:00.000+00:00",
      "title": "CVE-2026-22801"
    }
  ]
}

CVE-2025-11411 (GCVE-0-2025-11411)

Vulnerability from cvelistv5 – Published: 2025-10-22 12:28 – Updated: 2025-12-05 10:56

Title

Possible domain hijacking via promiscuous records in the authority section

Summary

NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.

Severity

5.7 (Medium)


                        
                          CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data

Assigner

NLnet Labs

References

4 references

URL	Tags
https://www.nlnetlabs.nl/downloads/unbound/CVE-20…	vendor-advisory
https://lists.debian.org/debian-lts-announce/2025…
http://www.openwall.com/lists/oss-security/2025/11/26/4
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

1 product

Vendor	Product	Version
NLnet Labs	Unbound	Affected: 0 , ≤ 1.24.1 (semver)

Date Public

2025-10-22 00:00

Credits

Yuxiao Wu (Tsinghua University) Yunyi Zhang (Tsinghua University) Baojun Liu (Tsinghua University) Haixin Duan (Tsinghua University) TaoFei Guo (Peking University) Yang Luo (Tsinghua University) JianJun Chen (Tsinghua University)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11411",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-22T13:20:48.048984Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-22T13:21:55.355Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-12-01T00:15:34.025Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00008.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/26/4"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00032.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Unbound",
          "vendor": "NLnet Labs",
          "versions": [
            {
              "lessThanOrEqual": "1.24.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yuxiao Wu (Tsinghua University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Yunyi Zhang (Tsinghua University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Baojun Liu (Tsinghua University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Haixin Duan (Tsinghua University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "TaoFei Guo (Peking University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Yang Luo (Tsinghua University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "JianJun Chen (Tsinghua University)"
        }
      ],
      "datePublic": "2025-10-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver\u0027s knowledge of the zone\u0027s name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-349",
              "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-05T10:56:13.103Z",
        "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "shortName": "NLnet Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in 1.24.2 and all later versions."
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-07-09T00:00:00.000Z",
          "value": "Issue reported by Yuxiao Wu"
        },
        {
          "lang": "en",
          "time": "2025-08-12T00:00:00.000Z",
          "value": "Issue acknowledged and mitigation shared by NLnet Labs"
        },
        {
          "lang": "en",
          "time": "2025-10-22T00:00:00.000Z",
          "value": "Fixes released with Unbound 1.24.1 (coordinated with other vendors)"
        },
        {
          "lang": "en",
          "time": "2025-11-07T00:00:00.000Z",
          "value": "Not complete fix in Unbound 1.24.1 reported by TaoFei Guo"
        },
        {
          "lang": "en",
          "time": "2025-11-07T00:00:00.000Z",
          "value": "Issue acknowledged and mitigation shared by NLnet Labs"
        },
        {
          "lang": "en",
          "time": "2025-11-07T00:00:00.000Z",
          "value": "Mitigation acknowledged by TaoFei Guo"
        },
        {
          "lang": "en",
          "time": "2025-11-26T00:00:00.000Z",
          "value": "Additional fixes released with Unbound 1.24.2"
        }
      ],
      "title": "Possible domain hijacking via promiscuous records in the authority section",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
    "assignerShortName": "NLnet Labs",
    "cveId": "CVE-2025-11411",
    "datePublished": "2025-10-22T12:28:02.607Z",
    "dateReserved": "2025-10-07T09:07:44.926Z",
    "dateUpdated": "2025-12-05T10:56:13.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13086 (GCVE-0-2025-13086)

Vulnerability from cvelistv5 – Published: 2025-12-03 19:54 – Updated: 2025-12-12 13:50

Summary

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client

Severity

4.6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-940 - Improper Verification of Source of a Communication Channel

Assigner

OpenVPN

References

3 references

URL	Tags
https://community.openvpn.net/Security%20Announce…	vendor-advisory
https://www.mail-archive.com/openvpn-announce@lis…	release-notes
https://www.mail-archive.com/openvpn-announce@lis…	release-notes

Impacted products

1 product

Vendor	Product	Version
OpenVPN	OpenVPN	Affected: 2.6.0 , ≤ 2.6.15 (semver) Affected: 2.7_alpha1 , ≤ 2.7_rc1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13086",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-03T21:48:54.419203Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-03T21:49:07.801Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenVPN",
          "vendor": "OpenVPN",
          "versions": [
            {
              "lessThanOrEqual": "2.6.15",
              "status": "affected",
              "version": "2.6.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.7_rc1",
              "status": "affected",
              "version": "2.7_alpha1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-940",
              "description": "CWE-940: Improper Verification of Source of a Communication Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-12T13:50:46.678Z",
        "orgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e",
        "shortName": "OpenVPN"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://community.openvpn.net/Security%20Announcements/CVE-2025-13086"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00151.html"
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e",
    "assignerShortName": "OpenVPN",
    "cveId": "CVE-2025-13086",
    "datePublished": "2025-12-03T19:54:10.737Z",
    "dateReserved": "2025-11-12T19:37:55.606Z",
    "dateUpdated": "2025-12-12T13:50:46.678Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22695 (GCVE-0-2026-22695)

Vulnerability from cvelistv5 – Published: 2026-01-12 22:55 – Updated: 2026-01-13 19:07

Title

LIBPNG has a heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix)

Summary

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-125 - Out-of-bounds Read

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/pnggroup/libpng/security/advis…	x_refsource_CONFIRM
https://github.com/pnggroup/libpng/issues/778	x_refsource_MISC
https://github.com/pnggroup/libpng/commit/218612d…	x_refsource_MISC
https://github.com/pnggroup/libpng/commit/e4f7ad4ea2	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
pnggroup	libpng	Affected: < 1.6.54

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22695",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T14:13:00.487878Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T19:07:10.972Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libpng",
          "vendor": "pnggroup",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.54"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T22:55:40.204Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp"
        },
        {
          "name": "https://github.com/pnggroup/libpng/issues/778",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/issues/778"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/e4f7ad4ea2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/e4f7ad4ea2"
        }
      ],
      "source": {
        "advisory": "GHSA-mmq5-27w3-rxpp",
        "discovery": "UNKNOWN"
      },
      "title": "LIBPNG has a heap buffer over-read in png_image_read_direct_scaled (regression from CVE-2025-65018 fix)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22695",
    "datePublished": "2026-01-12T22:55:40.204Z",
    "dateReserved": "2026-01-08T19:23:09.855Z",
    "dateUpdated": "2026-01-13T19:07:10.972Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22801 (GCVE-0-2026-22801)

Vulnerability from cvelistv5 – Published: 2026-01-12 22:57 – Updated: 2026-01-13 19:37

Title

LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*

Summary

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Severity

6.8 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-125 - Out-of-bounds Read
CWE-190 - Integer Overflow or Wraparound

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/pnggroup/libpng/security/advis…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
pnggroup	libpng	Affected: < 1.6.54

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22801",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T19:37:38.282435Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T19:37:45.414Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libpng",
          "vendor": "pnggroup",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.54"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T22:57:58.288Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8"
        }
      ],
      "source": {
        "advisory": "GHSA-vgjq-8cw5-ggw8",
        "discovery": "UNKNOWN"
      },
      "title": "LIBPNG has an integer truncation causing heap buffer over-read in png_image_write_*"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22801",
    "datePublished": "2026-01-12T22:57:58.288Z",
    "dateReserved": "2026-01-09T22:50:10.287Z",
    "dateUpdated": "2026-01-13T19:37:45.414Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0413

CVE-2025-11411 (GCVE-0-2025-11411)

CVE-2025-13086 (GCVE-0-2025-13086)

CVE-2026-22695 (GCVE-0-2026-22695)

CVE-2026-22801 (GCVE-0-2026-22801)

Tags

Sightings

Nomenclature