CVE-2026-40930
Publication date 20 May 2026
Last updated 27 May 2026
Ubuntu priority
Description
Chunk smuggling in push-mode APNG parser via unconsumed chunk body
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libpng | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| libpng1.6 | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Not affected
|
|
| firefox | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| thunderbird | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| chromium-browser | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
Notes
mdeslaur
This only applies to the third-party libpng-apng patch. Per Debiam, the apng patch was applied in Debian starting with 1.6.36-2 and dropped in 1.6.37-4. Second commit below is recommended to be applied also per upstream advisory.