Medium severity5.4NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-40930

Description

LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to png_process_data. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Pnggroup/Libpngreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: =1.8.0

Patches

Vulnerability mechanics

References

www.openwall.com/lists/oss-security/2026/05/15/21nvd
github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4nvd
github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2xnvd

News mentions

Patch Tuesday - June 2026
Rapid7 Blog · Jun 9, 2026

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000