Unrated severityNVD Advisory· Published Aug 31, 2011· Updated Apr 29, 2026

CVE-2009-5063

Description

Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length. NOTE: this is due to an incomplete fix for CVE-2006-7244.

Affected products

Libpng/Libpng6 versions
cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*range: <=1.2.38
- cpe:2.3:a:libpng:libpng:1.2.39:-:*:*:*:*:*:*
- cpe:2.3:a:libpng:libpng:1.2.39:beta1:*:*:*:*:*:*
- cpe:2.3:a:libpng:libpng:1.2.39:beta2:*:*:*:*:*:*
- cpe:2.3:a:libpng:libpng:1.2.39:beta3:*:*:*:*:*:*
- cpe:2.3:a:libpng:libpng:1.2.39:beta4:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2011/03/22/7nvdMailing ListPatchThird Party Advisory
www.openwall.com/lists/oss-security/2011/03/28/6nvdMailing ListPatchThird Party Advisory
security.gentoo.org/glsa/glsa-201206-15.xmlnvdThird Party Advisory
secunia.com/advisories/49660nvdBroken Link
libpng.git.sourceforge.net/git/gitweb.cginvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000