CVE-2019-6129

png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer.

medium 6.5 CVSS 3.1

Published: Jan 11, 2019

Modified: May 28, 2026

Vendor: Libpng

Product: Libpng

Versions: 1.6.36

Description

png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer.

References

https://github.com/glennrp/libpng/issues/269
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://github.com/glennrp/libpng/issues/269
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Related CVEs

CVSS Breakdown

Version	3.1
Score	6.5 / 10
Severity	medium

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Weakness (CWE)

CWE-401

Affected Product

Vendor	Libpng
Product	Libpng
Versions	1.6.36