CVE-2019-6129 in libpnginfo

Summary

by MITRE

png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/29/2026

The vulnerability identified as CVE-2019-6129 resides within the libpng library version 1.6.36, specifically in the png_create_info_struct function located in the png.c source file. This memory leak represents a critical security flaw that can be exploited to consume system resources and potentially lead to denial of service conditions. The vulnerability was demonstrated through the pngcp utility, which is part of the libpng toolkit and commonly used for processing png image files. The issue manifests when the library fails to properly release allocated memory resources during the creation of information structures for png image processing, creating a persistent memory consumption problem that can accumulate over time.

The technical flaw stems from improper memory management within the png_create_info_struct function where allocated memory blocks are not correctly deallocated when the function encounters certain error conditions or when processing specific png image formats. This memory leak occurs during the normal operation of png image processing, particularly when dealing with malformed or specially crafted png files that trigger the problematic code path. The vulnerability is classified under CWE-401 as a failure to release memory resources, which is a fundamental memory management error that can be exploited by attackers to exhaust available system memory. The flaw exists because the function does not properly handle error cases where memory allocation succeeds but subsequent processing fails, leading to memory leaks that persist throughout the application's execution lifecycle.

The operational impact of this vulnerability extends beyond simple resource exhaustion, as it can be leveraged in various attack scenarios that target applications relying on libpng for image processing. When exploited through the pngcp utility or other applications using libpng, the memory leak can cause applications to gradually consume all available memory, leading to system instability, application crashes, or complete system denial of service. This vulnerability is particularly concerning in web applications, image processing services, and any system that accepts user-uploaded png files, as attackers can craft malicious png files to trigger the memory leak repeatedly. The attack surface is broad since libpng is widely used across numerous operating systems, applications, and platforms, making this vulnerability potentially exploitable in many different environments. According to ATT&CK framework, this vulnerability maps to T1499.004 which covers network denial of service attacks, and T1595.001 which involves reconnaissance for vulnerabilities in target hosts.

Mitigation strategies for CVE-2019-6129 involve immediate patching of the libpng library to version 1.6.37 or later, which contains the fix for the memory leak issue. System administrators should also implement input validation measures to filter or reject suspicious png files before they reach the libpng processing functions. Additionally, monitoring systems should be configured to detect unusual memory consumption patterns that might indicate exploitation attempts. Applications using libpng should implement proper error handling and resource cleanup procedures to minimize the impact if a vulnerable version is inadvertently used. The fix addresses the root cause by ensuring that all allocated memory is properly released regardless of the execution path taken during png image processing, thereby preventing the accumulation of leaked memory blocks that could eventually lead to system resource exhaustion and denial of service conditions.

Reservation

01/10/2019

Disclosure

01/11/2019

Moderation

accepted

CPE

ready

EPSS

0.01387

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!