CVE-2026-33416: LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`

Published Mar 26, 2026
·
Updated

LIBPNG has use-after-free via pointer aliasing in pngsettRNS and pngsetPLTE

Other sources

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, pngsettRNS and pngsetPLTE each alias a heap-allocated buffer between pngstruct and pnginfo, sharing a single allocation across two structs with independent lifetimes. The transalpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines pngsettRNS sets pngptr->transalpha = infoptr->transalpha (256-byte buffer) and pngsetPLTE sets infoptr->palette = pngptr->palette (768-byte buffer). In both cases, calling pngfreedata (with PNGFREETRNS or PNGFREEPLTE) frees the buffer through infoptr while the corresponding pngptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to pngsettRNS or pngsetPLTE has the same effect, because both functions call pngfreedata internally before reallocating the infoptr buffer. Version 1.6.56 fixes the issue.

MITRE

Affected Software

4 affected componentsFixes available
libpng LIBPNG>=1.2.1<=1.6.55
Microsoft cbl2 libpng 1.6.55-1
Patch available
Microsoft azl3 libpng 1.6.55-1
Patch available
libpng LIBPNG>=1.2.1<1.6.56

Remediation

Patch Available

https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb

Patch Available

https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667

Patch Available

https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25

Patch Available

https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1

Patch Available

https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j

Event History

Mar 26, 2026
CVE Published
via MITRE·04:48 PM
Data Sourced
via MITRE·04:48 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Data Sourced
via Red Hat·06:02 PM
DescriptionSeverityAffected Software
Mar 29, 2026
Data Sourced
via Microsoft·08:02 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:02 AM
Affected Software
Updated
via Microsoft·08:02 AM
DescriptionSeverity
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-33416?

CVE-2026-33416 has been classified as a high severity vulnerability due to its potential for exploitation via a use-after-free condition.

2

How do I fix CVE-2026-33416?

To fix CVE-2026-33416, update to a version of libpng later than 1.6.55, ensuring you are utilizing a patched release.

3

Which versions of libpng are affected by CVE-2026-33416?

CVE-2026-33416 affects libpng versions from 1.2.1 through 1.6.55.

4

What are the consequences of exploiting CVE-2026-33416?

Exploitation of CVE-2026-33416 can lead to arbitrary code execution or denial of service due to the use-after-free vulnerability.

5

How does the use-after-free in CVE-2026-33416 occur?

The use-after-free in CVE-2026-33416 occurs due to pointer aliasing in the functions png_set_tRNS and png_set_PLTE, leading to potential memory corruption.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203