CVE-2026-33416

Name of the Vulnerable Software and Affected Versions LIBPNG versions 1.2.1 through 1.6.55

Description LIBPNG is a library used by applications to read, create, and manipulate PNG raster image files. Versions 1.2.1 through 1.6.55 contain an issue where the png set tRNS and png set PLTE functions alias a heap-allocated buffer between png struct and png info, sharing a single allocation across two structures with independent lifetimes. This aliasing has been present since at least libpng 1.0 for trans alpha and since at least 1.2.1 for palette. When png free data is called with PNG FREE TRNS or PNG FREE PLTE, the buffer is freed through info ptr while the corresponding png ptr pointer remains dangling. Subsequent row-transform functions may then dereference and write to this freed memory. Calling png set tRNS or png set PLTE a second time has the same effect, as these functions call png free data internally before reallocating the info ptr buffer.

Recommendations Versions 1.2.1 through 1.6.55 should be updated to version 1.6.56 or later.