CVE-2026-40930 PUBLISHED

LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body

Assigner: GitHub_M
Reserved: 15.04.2026 Published: 04.06.2026 Updated: 04.06.2026

LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to png_process_data. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	pnggroup
Product	libpng
Versions	Version = 1.8.0 is affected

Vendor	pnggroup
Product	libpng-apng
Versions	Version >= 1.6.49, <= 1.6.57 is affected

References

Problem Types

CWE-436: Interpretation Conflict CWE