Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free leading to memory corruption and potential arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in libpng arises from pointer aliasing between png_struct and png_info. The trans_alpha buffer set by png_set_tRNS and the palette buffer set by png_set_PLTE share a single heap allocation. After png_free_data frees the buffer through one struct, the other’s pointer remains dangling. Subsequent processing of PNG data can dereference or write to this freed memory, potentially causing a crash or allowing an attacker to execute arbitrary code, thereby compromising integrity and availability.

Affected Systems

The affected product is libpng released by pnggroup. All versions from 1.2.1 through 1.6.55 contain the flaw. Applications that link to these libpng releases and process PNG files with tRNS or PLTE chunks are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an application to parse a PNG file and later invoke png_set_tRNS or png_set_PLTE, triggering the use‑after‑free during subsequent row‑transform operations. Though the exact attack vector is not specified, an attacker can trigger the flaw by supplying a crafted PNG—potentially via a network connection if the application accepts external image data—leading to arbitrary code execution or denial of service. The risk remains significant where such image processing is performed.

Generated by OpenCVE AI on April 2, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libpng to version 1.6.56 or later.

Generated by OpenCVE AI on April 2, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4521-1 libpng1.6 security update
Debian DSA Debian DSA DSA-6189-1 libpng1.6 security update
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Libpng
Libpng libpng
CPEs cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
Vendors & Products Libpng
Libpng libpng

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Pnggroup
Pnggroup libpng
Vendors & Products Pnggroup
Pnggroup libpng

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
Title LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Libpng Libpng
Pnggroup Libpng
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T03:55:17.603Z

Reserved: 2026-03-19T17:02:34.172Z

Link: CVE-2026-33416

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:41.189Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:38.443

Modified: 2026-04-02T20:28:33.973

Link: CVE-2026-33416

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T16:48:54Z

Links: CVE-2026-33416 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:59Z

Weaknesses