PatchSiren cyber security CVE debrief

CVE-2026-40930 pnggroup CVE debrief

A vulnerability was discovered in LIBPNG 1.8.0, a reference library for processing PNG raster image files. The issue lies in the push-mode APNG parser, where three inter-frame chunk discard paths clear the chunk-header flag without consuming the chunk body and CRC. This allows attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. The vulnerability has been fixed with commit [ref-4].

Vendor: pnggroup
Product: libpng
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-04
Original CVE updated: 2026-06-04
Advisory published: 2026-06-04
Advisory updated: 2026-06-04

Who should care

Developers and users of applications that process PNG raster image files using LIBPNG 1.8.0 should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability has a CVSS score of 5.4 and is classified as MEDIUM severity. The CVSS vector is [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L]. The weakness is categorized as CWE-436.

Defensive priority

MEDIUM

Recommended defensive actions

Update LIBPNG to a version that includes the fix, such as applying commit [ref-4].
Review and update applications that use LIBPNG 1.8.0 to process PNG files.

Evidence notes

The CVE record [cve-org] and NVD detail [nvd] provide official information about the vulnerability. Additional references include [ref-4], [ref-5], and [ref-6].

Official resources

CVE-2026-40930 CVE record
CVE.org
CVE-2026-40930 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

CVE-2026-40930 was published on 2026-06-04T16:16:36.633Z and modified on 2026-06-04T16:23:52.530Z.