Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap information disclosure
Action: Patch
AI Analysis

Impact

Libpng, a widely used reference library for handling PNG images, has a use‑after‑free bug in the functions png_set_PLTE, png_set_tRNS, and png_set_hIST. When an application retrieves a pointer to internal chunk data via png_get_PLTE, png_get_tRNS, or png_get_hIST and later supplies that same pointer to the matching setter, the setter frees its internal buffer before copying data from the now‑dangling pointer. This causes the function to read from memory that has already been reclaimed, producing silently corrupted PNG metadata or leaking unrelated heap contents into the chunk structure.

Affected Systems

The flaw affects all libpng releases from 1.0.9 up to, but not including, 1.6.57. Many image viewers, editors, and third‑party tools that integrate libpng are potentially using these versions. Systems should verify the libpng version they deploy and apply an update to 1.6.57 or later.

Risk and Exploitability

The base CVSS score of 5.1 indicates medium severity and no EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation. The most likely attack vector involves the processing of a malicious PNG file that triggers the vulnerable setter through a getter‑returned pointer. Based on the description, it is inferred that an attacker must supply a crafted PNG that forces libpng to execute the flawed routine and take advantage of the freed memory read. Successful exploitation would result in the disclosure of heap contents or corruption of image metadata, potentially leading to further attacker‑controlled payload execution in downstream consumers of the PNG data.

Generated by OpenCVE AI on April 10, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libpng to version 1.6.57 or later.
  • If upgrading is not immediately possible, avoid passing pointers returned by png_get_* directly to the matching png_set_* functions.
  • Verify that any patch or downstream library versions include the fix.

Generated by OpenCVE AI on April 10, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Pnggroup
Pnggroup libpng
Vendors & Products Pnggroup
Pnggroup libpng

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.
Title LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Pnggroup Libpng
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:07:31.052Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34757

cve-icon Vulnrichment

Updated: 2026-04-09T16:07:26.718Z

cve-icon NVD

Status : Received

Published: 2026-04-09T15:16:11.003

Modified: 2026-04-09T15:16:11.003

Link: CVE-2026-34757

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T14:41:18Z

Links: CVE-2026-34757 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:43Z

Weaknesses