Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33416

LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`
Back to all
CVE

CVE-2026-33416

LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, pngsettRNS and pngsetPLTE each alias a heap-allocated buffer between png_struct and png_info, sharing a single allocation across two structs with independent lifetimes. The trans_alpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines pngsettRNS sets pngptr->transalpha = infoptr->transalpha (256-byte buffer) and pngsetPLTE sets infoptr->palette = pngptr->palette (768-byte buffer). In both cases, calling pngfreedata (with PNGFREETRNS or PNGFREEPLTE) frees the buffer through info_ptr while the corresponding png_ptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to pngsettRNS or pngsetPLTE has the same effect, because both functions call pngfreedata internally before reallocating the info_ptr buffer. Version 1.6.56 fixes the issue.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33416.json, https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb, https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667, https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25, https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1, https://github.com/pnggroup/libpng/pull/824, https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j, https://nvd.nist.gov/vuln/detail/CVE-2026-33416

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00026%
EPSS Percentile
0.07835%
Introduced Version
f50c91b7bd6d7c539bd8820c8ab2e37a86108a44,0,1.2.1
Fix Available
d5515b5b8be3901aac04e5bd8bd5c89f287bcd33,0:140.9.1-1.el8_10,0:140.9.1-1.el9_7,1:25.0.3.0.9-1.el9,2:1.6.37-12.el9_7.4,1.6.39-2+deb12u4,1.6.48-1+deb13u4,1.6.37-3+deb11u3,0:1.6.43-5ubuntu0.6,0:1.6.37-3ubuntu0.5,1.6.56,1.6.56-r0,0:140.9.1-1.0.1.el8_10,1:25.0.3.0.9-1.0.1.el9,0:140.9.1-1.0.1.el9_7,0:140.9.0-1.amzn2023.0.2,2:1.6.37-10.amzn2023.0.12,0:140.9.0-1.amzn2.0.2,0:1.2.50-10.amzn2.0.4,2:1.5.13-8.amzn2.0.8

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading