CVE-2026-33416 — Use After Free in Libpng

CWE-416 — Use After Free CWE-825 — Expired Pointer Dereference18 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 87.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libpng Pnggroup Libpng

Timeline

PublishedMar 26

Latest updateApr 6

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior rel…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDlibpng/libpng1.2.1 — 1.6.56

▶CVEListV5pnggroup/libpng>= 1.2.1, < 1.6.56

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`↗2026-03-26

▶

OSV

CVE-2026-33416: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files↗2026-03-26

▶

📋Vendor Advisories

Red Hat

libpng: libpng: Arbitrary code execution due to use-after-free vulnerability↗2026-03-26

▶

Microsoft

LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`↗2026-03-10

▶

Debian

CVE-2026-33416: libpng1.6 - LIBPNG is a reference library for use in applications that read, create, and man...↗2026

▶

🕵️Threat Intelligence

Hackernews

⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More↗2026-04-06

▶

Wiz

CVE-2026-23865 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-3713 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34757 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

ELSA-2026-0932 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-33416 mingw-libpng: libpng: Arbitrary code execution due to use-after-free vulnerability [fedora-43]↗2026-03-27

▶

Bugzilla

CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability [fedora-43]↗2026-03-27

▶

Bugzilla

CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability [fedora-42]↗2026-03-27

▶

Bugzilla

CVE-2026-33416 mingw-libpng: libpng: Arbitrary code execution due to use-after-free vulnerability [fedora-42]↗2026-03-27

▶

Bugzilla

Update libpng to new version v1.6.56 from 2026-03-25 22:47:06 (includes fixes for CVE-2026-33416, CVE-2026-33636)↗2026-03-26

▶