{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33416", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.172Z", "datePublished": "2026-03-26T16:48:54.174Z", "dateUpdated": "2026-03-26T19:52:10.961Z"}, "containers": {"cna": {"title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"}, {"name": "https://github.com/pnggroup/libpng/pull/824", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/pull/824"}, {"name": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"}, {"name": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"}, {"name": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"}, {"name": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"}], "affected": [{"vendor": "pnggroup", "product": "libpng", "versions": [{"version": ">= 1.2.1, < 1.6.56", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:48:54.174Z"}, "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."}], "source": {"advisory": "GHSA-m4pc-p4q3-4c7j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33416", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:49:05.196519Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:10.961Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33416", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:49:05.196519Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:41.189Z"}}], "cna": {"title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`", "source": {"advisory": "GHSA-m4pc-p4q3-4c7j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pnggroup", "product": "libpng", "versions": [{"status": "affected", "version": ">= 1.2.1, < 1.6.56"}]}], "references": [{"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j", "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pnggroup/libpng/pull/824", "name": "https://github.com/pnggroup/libpng/pull/824", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb", "name": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667", "name": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25", "name": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1", "name": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:48:54.174Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33416", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:10.961Z", "dateReserved": "2026-03-19T17:02:34.172Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T16:48:54.174Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."}, {"lang": "es", "value": "LIBPNG es una biblioteca de referencia para su uso en aplicaciones que leen, crean y manipulan archivos de imagen r\u00e1ster PNG (Portable Network Graphics). En las versiones 1.2.1 a 1.6.55, 'png_set_tRNS' y 'png_set_PLTE' cada una aliasan un b\u00fafer asignado en el heap entre 'png_struct' y 'png_info', compartiendo una \u00fanica asignaci\u00f3n entre dos estructuras con vidas \u00fatiles independientes. El aliasing de 'trans_alpha' ha estado presente desde al menos libpng 1.0, y el aliasing de 'palette' desde al menos 1.2.1. Ambos afectan a todas las l\u00edneas de versiones anteriores: 'png_set_tRNS' establece 'png_ptr-&gt;trans_alpha = info_ptr-&gt;trans_alpha' (b\u00fafer de 256 bytes) y 'png_set_PLTE' establece 'info_ptr-&gt;palette = png_ptr-&gt;palette' (b\u00fafer de 768 bytes). En ambos casos, llamar a 'png_free_data' (con 'PNG_FREE_TRNS' o 'PNG_FREE_PLTE') libera el b\u00fafer a trav\u00e9s de 'info_ptr' mientras que el puntero 'png_ptr' correspondiente permanece colgante. Las funciones de transformaci\u00f3n de fila subsiguientes desreferencian y, en algunas rutas de c\u00f3digo, escriben en la memoria liberada. Una segunda llamada a 'png_set_tRNS' o 'png_set_PLTE' tiene el mismo efecto, porque ambas funciones llaman internamente a 'png_free_data' antes de reasignar el b\u00fafer de 'info_ptr'. La versi\u00f3n 1.6.56 corrige el problema."}], "id": "CVE-2026-33416", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:38.443", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"}, {"source": "security-advisories@github.com", "url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"}, {"source": "security-advisories@github.com", "url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"}, {"source": "security-advisories@github.com", "url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"}, {"source": "security-advisories@github.com", "url": "https://github.com/pnggroup/libpng/pull/824"}, {"source": "security-advisories@github.com", "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "libpng: libpng: Arbitrary code execution due to use-after-free vulnerability", "id": "2451805", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451805"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in libpng, a library used for processing PNG (Portable Network Graphics) image files. This vulnerability arises from improper memory management where a heap-allocated buffer is aliased between internal data structures. When specific functions are called, a freed memory region can still be referenced, leading to a use-after-free condition. An attacker could potentially exploit this to achieve arbitrary code execution or cause a denial of service."], "mitigation": {"lang": "en:us", "value": "To reduce exposure, avoid processing untrusted PNG image files with applications that utilize libpng. Restricting the source of PNG images to trusted origins can limit the attack surface."}, "name": "CVE-2026-33416", "package_state": [{"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-11-openjdk", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-21-openjdk-vanilla", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-17-openjdk-portable", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-21-openjdk-vanilla", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Affected", "package_name": "java-1.8.0-openjdk-portable", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Affected", "package_name": "java-21-openjdk-vanilla", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-21-openjdk-portable", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-21-openjdk-vanilla", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:25", "fix_state": "Affected", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 25"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "java-25-openjdk", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "libpng12", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libpng12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libpng15", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mingw-libpng", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "java-25-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libpng15", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-26T16:48:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33416\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33416\nhttps://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb\nhttps://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667\nhttps://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25\nhttps://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1\nhttps://github.com/pnggroup/libpng/pull/824\nhttps://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.1,1.6.56)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "libpng", "source": "cna", "vendor": "pnggroup"}, "product": "libpng", "vendor": "pnggroup"}], "analysis": {"en": {"generated_at": "2026-03-27T14:21:09.002344+00:00", "value": {"mitigation_remediation": ["Update libpng to version 1.6.56 or later", "If an immediate update is not possible, reject or sanitize untrusted PNG files before processing", "Consider disabling PNG processing in affected applications until a patch is applied"], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free Memory Corruption"}, "threat_synthesis": {"affected_systems": "The flaw exists in all releases of the libpng reference library from pnggroup between versions 1.2.1 and 1.6.55, inclusive. Any application that incorporates this library\u2014such as web browsers, image editors, media servers, or document creation tools\u2014could be affected. The vendor\u2019s official fix appears in libpng 1.6.56 and later releases.", "description_and_impact": "In versions 1.2.1 through 1.6.55 of the libpng image processing library, the functions png_set_tRNS and png_set_PLTE create aliases of heap\u2011allocated buffers between two independent structures. When png_free_data frees the buffer through one structure, the other structure\u2019s pointer becomes dangling. Subsequent image\u2011processing calls may dereference this stale pointer and write to the freed memory, resulting in memory corruption that can cause a crash or unstable behavior. The CVE description does not explicitly state that execution is possible; the impact is limited to corrupting internal state of the library during PNG handling.", "risk_and_exploitability": "The CVSS score of 7.5 classifies this vulnerability as high severity, though the EPSS score is reported below 1% and it has not been listed in the CISA KEV catalog. Actual exploitation would require an attacker to supply a crafted PNG file that triggers the dangling pointer. The likely attack vector is remote via file upload or other means of delivering a malicious PNG to the affected application; this inference is drawn from the nature of the vulnerability and is not directly stated in the CVE data."}}}}, "created": "2026-03-27T08:33:42.943919+00:00", "updated": "2026-03-27T15:47:33.748269+00:00", "vendors": ["pnggroup", "pnggroup$PRODUCT$libpng"]}