{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordination", "urls": [ "https://certvde.com" ] } ], "aggregate_severity": { "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale", "text": "high" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-GB", "notes": [ { "category": "summary", "text": "Titration software versions prior to 2.0.2.6 are affected by libpng vulnerabilities CVE-2026-33416 and CVE-2026-33636.", "title": "Summary" }, { "category": "description", "text": "When an EVA Karl Fischer titrator connects to a LabX server for authentication, a crafted PNG image processed during this flow could trigger the vulnerability in the underlying libpng library, potentially causing a denial of service, information disclosure, heap corruption, or code execution.", "title": "Impact" }, { "category": "description", "text": "Update to Titration software version 2.0.2.6, which includes fixes for CVE-2026-33416 and CVE-2026-33636.", "title": "Remediation" }, { "category": "legal_disclaimer", "text": "Your use of the information on this document or materials linked from this document is at your own risk. METTLER TOLEDO makes reasonable efforts to ensure the accuracy of the information but does not grant any warranty, express or implied, including warranties of merchantability or fitness for a particular purpose. To the extent permitted by applicable law, METTLER TOLEDO excludes liability for any loss, claim, expense or damage arising from or related to the statements in this document. METTLER TOLEDO reserves the right to change or update this document at any time.", "title": "Disclaimer" } ], "publisher": { "category": "vendor", "contact_details": "psirt@mt.com", "name": "Mettler-Toledo GmbH", "namespace": "https://www.mt.com" }, "references": [ { "category": "external", "summary": "Product security website of METTLER TOLEDO", "url": "https://www.mt.com/ph/en/home/site_content/product-security.html" }, { "category": "external", "summary": "CERT@VDE Security Advisories for METTLER TOLEDO", "url": "https://certvde.com/en/advisories/vendor/mettler-toledo/" }, { "category": "self", "summary": "VDE-2026-053: METTLER TOLEDO: EVA Karl Fischer titrators affected by libpng vulnerabilities - HTML", "url": "https://certvde.com/en/advisories/VDE-2026-053/" }, { "category": "self", "summary": "VDE-2026-053: METTLER TOLEDO: EVA Karl Fischer titrators affected by libpng vulnerabilities - CSAF", "url": "https://mettler-toledo.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-053.json" } ], "title": "METTLER TOLEDO: EVA Karl Fischer titrators affected by libpng vulnerabilities", "tracking": { "aliases": [ "VDE-2026-053" ], "current_release_date": "2026-05-26T10:00:00.000Z", "generator": { "date": "2026-05-21T09:27:10.358Z", "engine": { "name": "Secvisogram", "version": "2.5.44" } }, "id": "VDE-2026-053", "initial_release_date": "2026-05-26T10:00:00.000Z", "revision_history": [ { "date": "2026-05-26T10:00:00.000Z", "number": "1.0.0", "summary": "Initial revision" } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:intdot/<2.0.2.6", "product": { "name": "Titration Software version <2.0.2.6", "product_id": "CSAFPID-51001", "product_identification_helper": { "cpe": "cpe:2.3:a:mettler_toledo:eva_titration:*:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "2.0.2.6", "product": { "name": "Titration Software version 2.0.2.6", "product_id": "CSAFPID-52001", "product_identification_helper": { "cpe": "cpe:2.3:a:mettler_toledo:eva_titration:2.0.2.6:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Titration Software" } ], "category": "product_family", "name": "Software" }, { "branches": [ { "category": "product_name", "name": "EVA V1 Volumetric Karl Fischer Titrator", "product": { "name": "EVA V1 Volumetric Karl Fischer Titrator", "product_id": "CSAFPID-11001", "product_identification_helper": { "cpe": "cpe:2.3:h:mettler_toledo:volumetric_kf_titrator_eva_v1:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "EVA V3 Volumetric Karl Fischer Titrator", "product": { "name": "EVA V3 Volumetric Karl Fischer Titrator", "product_id": "CSAFPID-11002", "product_identification_helper": { "cpe": "cpe:2.3:h:mettler_toledo:volumetric_kf_titrator_eva_v3:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "EVA C1 Coulometric Karl Fischer Titrator", "product": { "name": "EVA C1 Coulometric Karl Fischer Titrator", "product_id": "CSAFPID-11003", "product_identification_helper": { "cpe": "cpe:2.3:h:mettler_toledo:coulometric_kf_titrator_eva_c1:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "EVA C3 Coulometric Karl Fischer Titrator", "product": { "name": "EVA C3 Coulometric Karl Fischer Titrator", "product_id": "CSAFPID-11004", "product_identification_helper": { "cpe": "cpe:2.3:h:mettler_toledo:coulometric_kf_titrator_eva_c3:*:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Hardware" } ], "category": "vendor", "name": "METTLER TOLEDO" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ], "summary": "affected products" }, { "group_id": "CSAFGID-0002", "product_ids": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ], "summary": "fixed products" } ], "relationships": [ { "category": "installed_on", "full_product_name": { "name": "Titration Software version <2.0.2.6 installed on EVA V1 Volumetric Karl Fischer Titrator", "product_id": "CSAFPID-31001", "product_identification_helper": { "cpe": "cpe:2.3:o:mettler_toledo:volumetric_kf_titrator_eva_v1:*:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-51001", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "Titration Software version <2.0.2.6 installed on EVA V3 Volumetric Karl Fischer Titrator", "product_id": "CSAFPID-31002", "product_identification_helper": { "cpe": "cpe:2.3:o:mettler_toledo:volumetric_kf_titrator_eva_v3:*:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-51001", "relates_to_product_reference": "CSAFPID-11002" }, { "category": "installed_on", "full_product_name": { "name": "Titration Software version <2.0.2.6 installed on EVA C1 Coulometric Karl Fischer Titrator", "product_id": "CSAFPID-31003", "product_identification_helper": { "cpe": "cpe:2.3:o:mettler_toledo:coulometric_kf_titrator_eva_c1:*:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-51001", "relates_to_product_reference": "CSAFPID-11003" }, { "category": "installed_on", "full_product_name": { "name": "Titration Software version <2.0.2.6 installed on EVA C3 Coulometric Karl Fischer Titrator", "product_id": "CSAFPID-31004", "product_identification_helper": { "cpe": "cpe:2.3:o:mettler_toledo:coulometric_kf_titrator_eva_c3:*:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-51001", "relates_to_product_reference": "CSAFPID-11004" }, { "category": "installed_on", "full_product_name": { "name": "Titration Software version 2.0.2.6 installed on EVA V1 Volumetric Karl Fischer Titrator", "product_id": "CSAFPID-32001", "product_identification_helper": { "cpe": "cpe:2.3:o:mettler_toledo:volumetric_kf_titrator_eva_v1:2.0.2.6:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-52001", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "Titration Software version 2.0.2.6 installed on EVA V3 Volumetric Karl Fischer Titrator", "product_id": "CSAFPID-32002", "product_identification_helper": { "cpe": "cpe:2.3:o:mettler_toledo:volumetric_kf_titrator_eva_v3:2.0.2.6:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-52001", "relates_to_product_reference": "CSAFPID-11002" }, { "category": "installed_on", "full_product_name": { "name": "Titration Software version 2.0.2.6 installed on EVA C1 Coulometric Karl Fischer Titrator", "product_id": "CSAFPID-32003", "product_identification_helper": { "cpe": "cpe:2.3:o:mettler_toledo:coulometric_kf_titrator_eva_c1:2.0.2.6:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-52001", "relates_to_product_reference": "CSAFPID-11003" }, { "category": "installed_on", "full_product_name": { "name": "Titration Software version 2.0.2.6 installed on EVA C3 Coulometric Karl Fischer Titrator", "product_id": "CSAFPID-32004", "product_identification_helper": { "cpe": "cpe:2.3:o:mettler_toledo:coulometric_kf_titrator_eva_c3:2.0.2.6:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-52001", "relates_to_product_reference": "CSAFPID-11004" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33636", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.", "title": "CVE Description" }, { "category": "description", "text": "The EVA Karl Fischer titrator must receive a crafted paletted PNG image during the LabX login flow.", "title": "Vulnerability Characterisation" } ], "product_status": { "fixed": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ], "recommended": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to Titration software version 2.0.2.6, which includes a fix for CVE-2026-33636.", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "environmentalScore": 7.6, "environmentalSeverity": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.6, "temporalSeverity": "HIGH", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ], "title": "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64" }, { "cve": "CVE-2026-33416", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.", "title": "CVE Description" }, { "category": "description", "text": "The EVA Karl Fischer titrator must receive a crafted PNG image during the LabX login flow.", "title": "Vulnerability Characterisation" } ], "product_status": { "fixed": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ], "recommended": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to Titration software version 2.0.2.6, which includes a fix for CVE-2026-33416.", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ], "title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`" } ] }