Perceptive Security
SOC/SIEM Consultancy
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 th…
Published:
25 March 2026 at 23:00:00
Alert date:
26 March 2026 at 18:03:17
Source:
nvd.nist.gov
Supply Chain & Dependencies, Web Technologies
CVE-2026-33416 affects LIBPNG versions 1.2.1 through 1.6.55, involving a use-after-free vulnerability in png_set_tRNS and png_set_PLTE functions. The issue stems from heap buffer aliasing between png_struct and png_info structures with independent lifetimes. When png_free_data is called, it frees buffers through info_ptr while leaving corresponding png_ptr pointers dangling. Subsequent row-transform functions then dereference and potentially write to freed memory, creating a serious security vulnerability. The trans_alpha aliasing affects a 256-byte buffer while palette aliasing affects a 768-byte buffer. Version 1.6.56 resolves this critical memory management issue.
Technical details
Mitigation steps:
Affected products:
LIBPNG
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-33416
https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
https://github.com/pnggroup/libpng/pull/824
https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.