Out-of-Bounds Read and Write Vulnerability in libpng for ARM/AArch64
CVE-2026-33636

7.6HIGH

Key Information:

Vendor

Pnggroup

Status
Libpng
Vendor
CVE Published:
26 March 2026

What is CVE-2026-33636?

The libpng library, utilized for processing PNG files, contains an out-of-bounds read and write vulnerability in its Neon-optimized palette expansion path. This issue occurs in versions 1.6.36 through 1.6.55 when expanding 8-bit paletted rows to RGB or RGBA. A flaw allows a Neon loop to process a partial chunk without adequate verification of input pixel availability, which results in the possibility of dereferencing pointers beyond the start of a row buffer. Consequently, the implementation may write to incorrect memory locations, posing risks for normal decoding of attacker-supplied PNG inputs with Neon enabled. The problem has been resolved in version 1.6.56.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

libpng >= 1.6.36, < 1.6.56

References

https://github.com/pnggroup/libpng/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pnggroup/libpng/commit/7734cda20cf1236...
x_refsource_MISC
https://github.com/pnggroup/libpng/commit/aba9f18eba870d1...
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.