CVE-2026-33416

Name

CVE-2026-33416

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
security-advisories@github.com	https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
security-advisories@github.com	https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
security-advisories@github.com	https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
security-advisories@github.com	https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
security-advisories@github.com	https://github.com/pnggroup/libpng/pull/824
security-advisories@github.com	https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:libpng:libpng::::::::`	libpng	>= 1.2.1	< 1.6.56

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
libpng	edge-main	1.6.56-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
libpng	edge-main	1.6.55-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.54-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.53-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.51-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.51-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.49-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.47-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.46-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.45-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.44-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	edge-main	1.6.37-r0	None	possibly vulnerable
libpng	3.23-main	1.6.56-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
libpng	3.23-main	1.6.55-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.23-main	1.6.54-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.23-main	1.6.53-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.22-main	1.6.56-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
libpng	3.22-main	1.6.55-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.22-main	1.6.54-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.22-main	1.6.53-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.22-main	1.6.51-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.22-main	1.6.47-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.22-main	1.6.37-r0	None	possibly vulnerable
libpng	3.21-main	1.6.56-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
libpng	3.21-main	1.6.55-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.21-main	1.6.54-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.21-main	1.6.53-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.21-main	1.6.47-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.21-main	1.6.44-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.21-main	1.6.37-r0	None	possibly vulnerable
libpng	3.20-main	1.6.56-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
libpng	3.20-main	1.6.55-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.20-main	1.6.54-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.20-main	1.6.53-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.20-main	1.6.44-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.20-main	1.6.37-r0	None	possibly vulnerable
libpng	3.19-main	1.6.44-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libpng	3.19-main	1.6.37-r0	None	possibly vulnerable