search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Libpng 1.5.0 png_set_rgb_to_gray() vulnerability

Vulnerability Note VU#643140

Original Release Date: 2011-01-11 | Last Revised: 2011-02-03


Libpng-1.5.0 introduced a vulnerability in the rgb-to-gray transform function.


Libpng based applications that call the png_set_rgb_to_gray() function from pngrtran.c are vulnerable. Libpng versions prior to 1.5.0 are not vulnerable.


An attacker may cause the application to crash or execute arbitrary code as the user.


Apply an Update

Upgrade to version 1.5.1.

Vendor Information

No information available at this time.

CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A



Thanks to Glenn Randers-Pehrson for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2011-0408
Date Public: 2011-01-08
Date First Published: 2011-01-11
Date Last Updated: 2011-02-03 19:23 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.