RSEC-2026-1

See a problem?

Import Source

https://github.com/RConsortium/r-advisory-database/blob/main/vulns/png/RSEC-2026-1.yaml

JSON Data

https://api.osv.dev/v1/vulns/RSEC-2026-1

Upstream

CVE-2026-25646

Published

2026-03-13T20:45:00Z

Modified

2026-03-26T23:00:06.560158Z

Summary

Risk of Buffer Overflow Vulnerability when installed from source on Windows R < 4.2

Details

Installing the png package from source on Windows could download and install an older version of libpng that has known vulnerabilities. On Windows R versions < 4.2, building the png package will download an archived libpng 1.5.4 from 2011. Note that on R versions 4.2 or newer, libpng is bundled in the relevant Rtools42+ and is not downloaded during png package installation. Check the Rtools release notes to see if the vulnerability applies. Where the vulnerable libpng is used, this represents a risk of buffer overflow when reading certain png files.

References

Affected packages

CRAN / png

Package

Name: png
Purl: pkg:cran/png

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1-3

Fixed

0.1-9

Affected versions

0.*

0.1-3

0.1-4

0.1-5

0.1-6

0.1-7

0.1-8

Database specific

source

"https://github.com/RConsortium/r-advisory-database/blob/main/vulns/png/RSEC-2026-1.yaml"