High severity7.5NVD Advisory· Published Jan 30, 2017· Updated May 13, 2026

CVE-2016-10087

Description

The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2016/12/29/2nvdMailing ListThird Party Advisory
www.openwall.com/lists/oss-security/2016/12/30/4nvdMailing ListThird Party Advisory
www.securityfocus.com/bid/95157nvdThird Party AdvisoryVDB Entry
lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Envd
lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Envd
security.gentoo.org/glsa/201701-74nvd
usn.ubuntu.com/3712-1/nvd
usn.ubuntu.com/3712-2/nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000