lwip embeds a copy of libpng version 1.6.18 as a dependency. This version of libpng is vulnerable to multiple denial-of-service (DoS) vulnerabilities including CVE-2015-8126, and CVE-2015-8472.