A critical heap-based buffer overflow vulnerability has been discovered in LibPNG's PNM2PNG converter utility. This flaw allows attackers to execute arbitrary code through specially crafted PNM files, potentially affecting numerous image processing applications and systems.
A severe heap-based buffer overflow vulnerability has been identified in LibPNG's PNM2PNG converter component, specifically within the do_pnm2png function in pnm2png.c. This vulnerability allows malicious actors to trigger a heap-based buffer overflow through specially crafted PNM files, potentially leading to arbitrary code execution or denial of service conditions. The vulnerability is particularly concerning due to LibPNG's widespread use in image processing applications, web servers, and content management systems across multiple sectors. Security researchers have observed active exploitation attempts in the wild, with threat actors targeting both enterprise and consumer applications that leverage the affected LibPNG components.
A critical security vulnerability has been discovered in LibPNG's PNM2PNG converter utility, affecting the do_pnm2png function within pnm2png.c. The heap-based buffer overflow condition can be triggered when processing specially crafted PNM files, potentially allowing attackers to execute arbitrary code on affected systems.
The vulnerability exists in the PNM to PNG conversion process, where insufficient bounds checking in the do_pnm2png function can lead to a heap-based buffer overflow. When processing malformed PNM files with specific characteristics, the converter fails to properly validate buffer sizes, allowing write operations beyond allocated memory boundaries.
The vulnerability affects multiple sectors and applications:
A recent hack of an implantable orthopedic device maker has significant implications for the healthcare and medical device sectors. The breach highlights the vulnerability of connected medical devices to cyber threats. As of April 1, 2026, the incident is under investigation.
A critical out-of-bounds read vulnerability in Citrix NetScaler systems poses significant risks to enterprise infrastructure. The vulnerability affects ADC and Gateway appliances, potentially enabling unauthorized access and system compromise.
A critical vulnerability (CVE-2026-25645) has been identified in the Python Requests library's extract_zipped_paths() utility function, enabling potential arbitrary file writes through insecure temporary file handling. This vulnerability affects applications using the Requests library for handling zipped file paths.
A severe denial-of-service vulnerability has been discovered in the widely-used python-ecdsa cryptographic library. The flaw allows attackers to crash applications by exploiting improper DER length validation in crafted private keys.