📖 libpng

active v1.8.0.git — libpng18 branch @ 614ab644f (post-v1.6.58) github.com/pnggroup/libpng owner: ariel

47%

Research headroom

14/22

Modules examined

4 · 0 CVEs

Findings

Research map

Every module of the codebase — size and color it by attack surface, findings, or coverage, switch to the list / files view, and click a module to inspect its findings.

Where to look next

The platform ranks the highest-value modules and techniques to try next.

🔒 Next moves — internal

Per-module leads, untried techniques and the recommended sweep are part of the internal platform.

Disclosed findings (4, 0 CVEs)

More vulnerabilities will appear here as they are patched and publicly disclosed.

ID	Title	Class	Severity	Evidence	Status	CVE	Discovered
LIBPNG-0004	Pull-vs-push APNG decode divergence (CVE-2026-40930 class parser differential)	logic	low	static	confirmed	—	2026-06-13
LIBPNG-0002	APNG write-side per-frame row_buf/prev_row leak across png_write_reset	dos	low	static	confirmed	—	2026-05-02
LIBPNG-0003	APNG write-side heap-buffer-overflow on width-varying multi-frame re-encode	oob-write	high	harness	harness-verified	—	2026-05-02
LIBPNG-0001	Sub-byte grayscale padding-bit propagation into re-encoded IDAT (png_combine_row)	info-leak	low	static	confirmed	—	2026-05-01

Attack surface & downstream impact

Attack surface

IHDR/chunk parsing & CRC handlingzlib/IDAT decompression and row reconstructionAPNG read (acTL/fcTL/fdAT) — sequential and progressiveAPNG write / re-encode (per-frame row buffers)read & write transforms (gamma, packing, interlace combine)ICC profile validation (iCCP)simplified API (png_image_*) read/writeSIMD filter/palette kernels (NEON/SSE2/MSA/VSX/LSX/RVV)

Downstream impact

Web browsers (Chromium, Firefox, Safari) via image decodersAndroid / mobile image pipelinesLinux distributions (system image libraries)Image-processing / thumbnail servers that re-encode PNG/APNG (write-side findings)Countless applications embedding libpng directly