CVE-2019-7317
Advisory lineage Upstream: 0 Downstream: 56
Modified
Published: 04 Feb 2019, 07:00
Last modified:28 May 2026, 18:24
Vulnerability Summary
Overall Risk (default)
medium
31/100 CVSS Score
5.3 MEDIUM
v3.1 (nvd)
EPSS Score
0.56% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
04 Feb 2019, 07:00
Published
Vulnerability first disclosed
28 May 2026, 18:24
Last Modified
Vulnerability information updated
Description
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
- v2.0•LOW•Score: 2.6AV:N/AC:H/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 0.56%• Percentile: 69%
Techniques & Countermeasures
- CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Affected Systems
- canonical•ubuntu_linux
16.04 | 18.04 | 18.10 | 19.04
- debian•debian_linux
8.0 | 9.0
- hp•xp7_command_view
< 8.7.0-00
- hpe•xp7_command_view_advanced_edition_suite
< 8.7.0-00
- libpng•libpng
≥ 1.6.0, < 1.6.37
- mozilla•firefox
na
- mozilla•thunderbird
na
- netapp•active_iq_unified_manager
< 9.6 | 9.6
- netapp•cloud_backup
na
- netapp•e-series_santricity_management
na
- netapp•e-series_santricity_storage_manager
< 11.53
- netapp•e-series_santricity_unified_manager
< 3.2
- netapp•e-series_santricity_web_services
< 4.0
- netapp•oncommand_insight
< 7.3.9
- netapp•oncommand_workflow_automation
< 5.1
- netapp•plug-in_for_symantec_netbackup
na
- netapp•snapmanager
< 3.4.2 | 3.4.2:p1
- netapp•steelstore
na
- opensuse•leap
15.0 | 15.1 | 42.3
- opensuse•package_hub
na
- oracle•hyperion_infrastructure_technology
11.2.6.0
- Unknown•Java SE
7u221 | 8u212
- oracle•jdk
11.0.3 | 12.0.1
- oracle•mysql
< 8.0.23
- redhat•enterprise_linux
6.0 | 7.0 | 8.0
- redhat•enterprise_linux_desktop
6.0 | 7.0
- redhat•enterprise_linux_for_ibm_z_systems
6.0 | 7.0 | 8.0
- redhat•enterprise_linux_for_power_big_endian
6.0 | 7.0
- redhat•enterprise_linux_for_power_little_endian
7.0 | 8.0
- redhat•enterprise_linux_for_scientific_computing
6.0 | 7.0
- redhat•enterprise_linux_workstation
6.0 | 7.0
- redhat•satellite
5.8
References (42)
- https://seclists.org/bugtraq/2019/Apr/30
- https://www.debian.org/security/2019/dsa-4435
- https://seclists.org/bugtraq/2019/Apr/36
- https://usn.ubuntu.com/3962-1/
- https://usn.ubuntu.com/3991-1/
- https://seclists.org/bugtraq/2019/May/56
- https://seclists.org/bugtraq/2019/May/59
- https://www.debian.org/security/2019/dsa-4448
- https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html
- https://access.redhat.com/errata/RHSA-2019:1265
- https://access.redhat.com/errata/RHSA-2019:1267
- https://access.redhat.com/errata/RHSA-2019:1269
- https://www.debian.org/security/2019/dsa-4451
- https://seclists.org/bugtraq/2019/May/67
- https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html
- https://usn.ubuntu.com/3997-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html
- https://access.redhat.com/errata/RHSA-2019:1310
- https://access.redhat.com/errata/RHSA-2019:1308
- https://access.redhat.com/errata/RHSA-2019:1309
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html
- http://www.securityfocus.com/bid/108098
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
- https://security.gentoo.org/glsa/201908-02
- https://access.redhat.com/errata/RHSA-2019:2494
- https://access.redhat.com/errata/RHSA-2019:2495
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
- https://github.com/glennrp/libpng/issues/275
- http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html
- https://security.netapp.com/advisory/ntap-20190719-0005/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://www.oracle.com/security-alerts/cpuoct2021.html