Vulnerability Note VU#889484

libpng off-by-one vulnerability

Original Release date: 02 Oct 2008 | Last revised: 02 Oct 2008


A vulnerability exists in libpng that may allow a remote attacker to cause a denial of service.


A vulnerability in the way libpng handles files that contain multiple zTXt chunks may cause a denial of service. This vulnerability is due to an off-by-one error introduced in the png_push_read_zTXt() function in libpng-1.2.30/pngpread.c. According to the PNG Development Group:

    Gecko-based applications such as Firefox are not vulnerable because they contain a png_set_keep_unknown_chunks() call that causes the application to ignore the zTXt chunk.

Note that this issue affects libpng versions 1.0.38, 1.0.39, 1.2.30, 1.2.31, and libpng-1.4.0beta.


A remote, unauthorized attacker may be able to cause a denial of service.


The PNG Development Group has issued an upgrade to address this issue. See libpng version 1.2.32 for more information.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
libpngAffected-02 Oct 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This issue was reported by the PNG Development Group in libpng version 1.2.32 .

This document was written by Chris Taschner.

Other Information

  • CVE IDs: CVE-2008-3964
  • Date Public: 05 Sep 2008
  • Date First Published: 02 Oct 2008
  • Date Last Updated: 02 Oct 2008
  • Severity Metric: 3.97
  • Document Revision: 7


If you have feedback, comments, or additional information about this vulnerability, please send us email.