Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Adobe Photoshop and other PNG image editing software at risk of data theft or crashes
ALSA-2026:3551
Summary
Libpng, a widely used library for editing PNG images, contains three security flaws that could allow hackers to steal sensitive information or crash affected software. This could happen when users open or edit PNG files. Software users should update to the latest version of libpng to protect against these risks.
What to do
- Update almalinux libpng to version 2:1.6.40-8.el10_1.2.
- Update almalinux libpng-devel to version 2:1.6.40-8.el10_1.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| almalinux | libpng | <= 2:1.6.40-8.el10_1.2 | 2:1.6.40-8.el10_1.2 |
| almalinux | libpng-devel | <= 2:1.6.40-8.el10_1.2 | 2:1.6.40-8.el10_1.2 |
Original title
Important: libpng security update
Original description
The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files.
Security Fix(es):
* libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API (CVE-2026-22801)
* libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read (CVE-2026-22695)
* libpng: LIBPNG has a heap buffer overflow in png_set_quantize (CVE-2026-25646)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API (CVE-2026-22801)
* libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read (CVE-2026-22695)
* libpng: LIBPNG has a heap buffer overflow in png_set_quantize (CVE-2026-25646)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- https://access.redhat.com/errata/RHSA-2026:3551 Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2026-22695 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-22801 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-25646 Third Party Advisory
- https://bugzilla.redhat.com/2428824 Third Party Advisory
- https://bugzilla.redhat.com/2428825 Third Party Advisory
- https://bugzilla.redhat.com/2438542 Third Party Advisory
- https://errata.almalinux.org/10/ALSA-2026-3551.html Vendor Advisory
Published: 2 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026