// For flags

CVE-2019-7317

libpng: use-after-free in png_image_free in png.c

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

La función png_image_free en el archivo png.c en libpng versiones 1.6.x anteriores a 1.6.37, presenta un uso de la memoria previamente liberada porque la función png_image_free_function es llamada bajo png_safe_execute.

It was discovered that OpenJDK did not sufficiently validate serial streams before deserializing suppressed exceptions in some situations. An attacker could use this to specially craft an object that, when deserialized, would cause a denial of service. It was discovered that in some situations OpenJDK did not properly bound the amount of memory allocated during object deserialization. An attacker could use this to specially craft an object that, when deserialized, would cause a denial of service. Various other issues were also addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-02-04 CVE Reserved
  • 2019-02-04 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-416: Use After Free
CAPEC
References (44)
URL Tag Source
http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html Third Party Advisory
http://www.securityfocus.com/bid/108098 Not Applicable
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 Issue Tracking
https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html Mailing List
https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html Mailing List
https://seclists.org/bugtraq/2019/Apr/30 Issue Tracking
https://seclists.org/bugtraq/2019/Apr/36 Issue Tracking
https://seclists.org/bugtraq/2019/May/56 Issue Tracking
https://seclists.org/bugtraq/2019/May/59 Issue Tracking
https://seclists.org/bugtraq/2019/May/67 Issue Tracking
https://security.netapp.com/advisory/ntap-20190719-0005 Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
URL Date SRC
https://github.com/glennrp/libpng/issues/275 2024-08-04
URL Date SRC
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html 2022-05-23
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html 2022-05-23
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html 2022-05-23
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html 2022-05-23
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html 2022-05-23
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html 2022-05-23
https://access.redhat.com/errata/RHSA-2019:1265 2022-05-23
https://access.redhat.com/errata/RHSA-2019:1267 2022-05-23
https://access.redhat.com/errata/RHSA-2019:1269 2022-05-23
https://access.redhat.com/errata/RHSA-2019:1308 2022-05-23
https://access.redhat.com/errata/RHSA-2019:1309 2022-05-23
https://access.redhat.com/errata/RHSA-2019:1310 2022-05-23
https://access.redhat.com/errata/RHSA-2019:2494 2022-05-23
https://access.redhat.com/errata/RHSA-2019:2495 2022-05-23
https://access.redhat.com/errata/RHSA-2019:2585 2022-05-23
https://access.redhat.com/errata/RHSA-2019:2590 2022-05-23
https://access.redhat.com/errata/RHSA-2019:2592 2022-05-23
https://access.redhat.com/errata/RHSA-2019:2737 2022-05-23
https://security.gentoo.org/glsa/201908-02 2022-05-23
https://usn.ubuntu.com/3962-1 2022-05-23
https://usn.ubuntu.com/3991-1 2022-05-23
https://usn.ubuntu.com/3997-1 2022-05-23
https://usn.ubuntu.com/4080-1 2022-05-23
https://usn.ubuntu.com/4083-1 2022-05-23
https://www.debian.org/security/2019/dsa-4435 2022-05-23
https://www.debian.org/security/2019/dsa-4448 2022-05-23
https://www.debian.org/security/2019/dsa-4451 2022-05-23
https://access.redhat.com/security/cve/CVE-2019-7317 2019-09-11
https://bugzilla.redhat.com/show_bug.cgi?id=1672409 2019-09-11
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Opensuse
Search vendor "Opensuse"
 Package Hub
Search vendor "Opensuse" for product "Package Hub"
--
Affected
in Suse
Search vendor "Suse"
 Linux Enterprise
Search vendor "Suse" for product "Linux Enterprise"
 12.0
Search vendor "Suse" for product "Linux Enterprise" and version "12.0"
-
Safe
Libpng
Search vendor "Libpng"
 Libpng
Search vendor "Libpng" for product "Libpng"
 >= 1.6.0 < 1.6.37
Search vendor "Libpng" for product "Libpng" and version " >= 1.6.0 < 1.6.37"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
esm
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 19.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"
-
Affected
Oracle
Search vendor "Oracle"
 Hyperion Infrastructure Technology
Search vendor "Oracle" for product "Hyperion Infrastructure Technology"
 11.2.6.0
Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version "11.2.6.0"
-
Affected
Oracle
Search vendor "Oracle"
 Java Se
Search vendor "Oracle" for product "Java Se"
 7u221
Search vendor "Oracle" for product "Java Se" and version "7u221"
-
Affected
Oracle
Search vendor "Oracle"
 Java Se
Search vendor "Oracle" for product "Java Se"
 8u212
Search vendor "Oracle" for product "Java Se" and version "8u212"
-
Affected
Oracle
Search vendor "Oracle"
 Jdk
Search vendor "Oracle" for product "Jdk"
 11.0.3
Search vendor "Oracle" for product "Jdk" and version "11.0.3"
-
Affected
Oracle
Search vendor "Oracle"
 Jdk
Search vendor "Oracle" for product "Jdk"
 12.0.1
Search vendor "Oracle" for product "Jdk" and version "12.0.1"
-
Affected
Oracle
Search vendor "Oracle"
 Mysql
Search vendor "Oracle" for product "Mysql"
 < 8.0.23
Search vendor "Oracle" for product "Mysql" and version " < 8.0.23"
-
Affected
Hp
Search vendor "Hp"
 Xp7 Command View
Search vendor "Hp" for product "Xp7 Command View"
 < 8.7.0-00
Search vendor "Hp" for product "Xp7 Command View" and version " < 8.7.0-00"
advanced
Affected
Hpe
Search vendor "Hpe"
 Xp7 Command View Advanced Edition Suite
Search vendor "Hpe" for product "Xp7 Command View Advanced Edition Suite"
 < 8.7.0-00
Search vendor "Hpe" for product "Xp7 Command View Advanced Edition Suite" and version " < 8.7.0-00"
-
Affected
Mozilla
Search vendor "Mozilla"
 Firefox Esr
Search vendor "Mozilla" for product "Firefox Esr"
--
Affected
Mozilla
Search vendor "Mozilla"
 Thunderbird
Search vendor "Mozilla" for product "Thunderbird"
--
Affected
Opensuse
Search vendor "Opensuse"
 Leap
Search vendor "Opensuse" for product "Leap"
 15.0
Search vendor "Opensuse" for product "Leap" and version "15.0"
-
Affected
Opensuse
Search vendor "Opensuse"
 Leap
Search vendor "Opensuse" for product "Leap"
 15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Affected
Opensuse
Search vendor "Opensuse"
 Leap
Search vendor "Opensuse" for product "Leap"
 42.3
Search vendor "Opensuse" for product "Leap" and version "42.3"
-
Affected
Netapp
Search vendor "Netapp"
 Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
 < 9.6
Search vendor "Netapp" for product "Active Iq Unified Manager" and version " < 9.6"
vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
 Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
 < 9.6
Search vendor "Netapp" for product "Active Iq Unified Manager" and version " < 9.6"
windows
Affected
Netapp
Search vendor "Netapp"
 Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
 9.6
Search vendor "Netapp" for product "Active Iq Unified Manager" and version "9.6"
vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
 Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
 9.6
Search vendor "Netapp" for product "Active Iq Unified Manager" and version "9.6"
windows
Affected
Netapp
Search vendor "Netapp"
 Cloud Backup
Search vendor "Netapp" for product "Cloud Backup"
--
Affected
Netapp
Search vendor "Netapp"
 E-series Santricity Management
Search vendor "Netapp" for product "E-series Santricity Management"
-vcenter
Affected
Netapp
Search vendor "Netapp"
 E-series Santricity Storage Manager
Search vendor "Netapp" for product "E-series Santricity Storage Manager"
 < 11.53
Search vendor "Netapp" for product "E-series Santricity Storage Manager" and version " < 11.53"
-
Affected
Netapp
Search vendor "Netapp"
 E-series Santricity Unified Manager
Search vendor "Netapp" for product "E-series Santricity Unified Manager"
 < 3.2
Search vendor "Netapp" for product "E-series Santricity Unified Manager" and version " < 3.2"
-
Affected
Netapp
Search vendor "Netapp"
 E-series Santricity Web Services
Search vendor "Netapp" for product "E-series Santricity Web Services"
 < 4.0
Search vendor "Netapp" for product "E-series Santricity Web Services" and version " < 4.0"
web_services_proxy
Affected
Netapp
Search vendor "Netapp"
 Oncommand Insight
Search vendor "Netapp" for product "Oncommand Insight"
 < 7.3.9
Search vendor "Netapp" for product "Oncommand Insight" and version " < 7.3.9"
-
Affected
Netapp
Search vendor "Netapp"
 Oncommand Workflow Automation
Search vendor "Netapp" for product "Oncommand Workflow Automation"
 < 5.1
Search vendor "Netapp" for product "Oncommand Workflow Automation" and version " < 5.1"
-
Affected
Netapp
Search vendor "Netapp"
 Plug-in For Symantec Netbackup
Search vendor "Netapp" for product "Plug-in For Symantec Netbackup"
--
Affected
Netapp
Search vendor "Netapp"
 Snapmanager
Search vendor "Netapp" for product "Snapmanager"
 < 3.4.2
Search vendor "Netapp" for product "Snapmanager" and version " < 3.4.2"
oracle
Affected
Netapp
Search vendor "Netapp"
 Snapmanager
Search vendor "Netapp" for product "Snapmanager"
 < 3.4.2
Search vendor "Netapp" for product "Snapmanager" and version " < 3.4.2"
sap
Affected
Netapp
Search vendor "Netapp"
 Snapmanager
Search vendor "Netapp" for product "Snapmanager"
 3.4.2
Search vendor "Netapp" for product "Snapmanager" and version "3.4.2"
p1, oracle
Affected
Netapp
Search vendor "Netapp"
 Snapmanager
Search vendor "Netapp" for product "Snapmanager"
 3.4.2
Search vendor "Netapp" for product "Snapmanager" and version "3.4.2"
p1, sap
Affected
Netapp
Search vendor "Netapp"
 Steelstore
Search vendor "Netapp" for product "Steelstore"
--
Affected
Redhat
Search vendor "Redhat"
 Satellite
Search vendor "Redhat" for product "Satellite"
 5.8
Search vendor "Redhat" for product "Satellite" and version "5.8"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 6.0
Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
 6.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Ibm Z Systems
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"
 6.0
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Ibm Z Systems
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"
 7.0
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Ibm Z Systems
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"
 8.0
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Big Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian"
 6.0
Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Big Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian"
 7.0
Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Little Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"
 7.0
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Little Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"
 8.0
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Scientific Computing
Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing"
 6.0
Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Scientific Computing
Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing"
 7.0
Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
 6.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"
-
Affected