{"id":"RSEC-2026-1","summary":"Risk of Buffer Overflow Vulnerability when installed from source on Windows R \u003c 4.2","details":"Installing the png package from source on Windows could download and install an older version of libpng that has known vulnerabilities.\nOn Windows R versions \u003c 4.2, building the png package will download an archived libpng 1.5.4 from 2011. Note that on R versions 4.2 or newer, libpng is bundled in the relevant Rtools42+ and is not downloaded during png package installation. Check the Rtools release notes to see if the vulnerability applies.\nWhere the vulnerable libpng is used, this represents a risk of buffer overflow when reading certain png files.\n","modified":"2026-03-26T23:00:06.566439Z","published":"2026-03-13T20:45:00Z","upstream":["CVE-2026-25646"],"references":[{"type":"WEB","url":"https://github.com/s-u/png/issues/8"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25646"},{"type":"WEB","url":"https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3"}],"affected":[{"package":{"name":"png","ecosystem":"CRAN","purl":"pkg:cran/png"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.1-3"},{"fixed":"0.1-9"}]}],"versions":["0.1-3","0.1-4","0.1-5","0.1-6","0.1-7","0.1-8"],"database_specific":{"source":"https://github.com/RConsortium/r-advisory-database/blob/main/vulns/png/RSEC-2026-1.yaml"}}],"schema_version":"1.7.5"}