CVE-2026-33416

Published: March 27, 2026Last modified: March 28, 2026

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.

Severity score breakdown

Parameter	Value
Base score	7.5
Attack Vector	NETWORK
Attack complexity	HIGH
Privileges required	NONE
User interaction	REQUIRED
Scope	UNCHANGED
Confidentiality	HIGH
Integrity impact	HIGH
Availability impact	HIGH
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	libpng	Fixed (1.6.56-r0)
	25 LTS	libpng	Fixed (1.6.56-r0)
	Stream	libpng	Fixed (1.6.56-r0)
Hardened Containers	23 LTS	libpng	Fixed (1.6.56-r0)
	25 LTS	libpng	Fixed (1.6.56-r0)
	Stream	libpng	Fixed (1.6.56-r0)

CVE-2026-33416

Description

Severity score breakdown

Status

References