Impact
The vulnerability in libpng stems from pointer aliasing between the png_struct and png_info structures when calling png_set_tRNS and png_set_PLTE. These functions share a single heap allocation for the trans_alpha and palette buffers, respectively. When png_free_data frees the buffer via one struct, the other struct’s pointer remains dangling. Subsequent row‑transform functions may dereference or even write to this freed memory, which can corrupt the heap and potentially enable an attacker to execute arbitrary code. The flaw is classified as CWE‑416 and, due to the memory corruption risk, also CWE‑825.
Affected Systems
libpng versions 1.2.1 through 1.6.55 released by pnggroup are affected. Any application that links against these libpng releases and processes PNG files containing tRNS or PLTE chunks is at risk. The defect is present in all historical release lines up to 1.6.55; version 1.6.56 resolves the issue.
Risk and Exploitability
The CVSS score of 7.5 indicates high severity, while the EPSS score of 1% suggests that exploitation is currently improbable. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw by supplying a crafted PNG file that includes malformed tRNS or PLTE chunks. If the target application accepts external images—such as via a network service, file upload interface, or local file processing—the attacker can provoke a use‑after‑free during subsequent image processing, potentially leading to denial of service or arbitrary code execution dependent on the privileges of the running process.
OpenCVE Enrichment
Debian DLA
Debian DSA
Ubuntu USN