The vulnerability CVE-2026-33416 affects libpng, a widely used reference library for reading, creating, and manipulating PNG image files. Specifically, in versions from 1.2.1 up to 1.6.55, the functions png_set_tRNS and png_set_PLTE create aliasing between heap-allocated buffers shared by two structures: png_struct and png_info. These buffers, trans_alpha (256 bytes) and palette (768 bytes), are allocated once but referenced independently by these structs, which have different lifetimes. When png_free_data is called with PNG_FREE_TRNS or PNG_FREE_PLTE, it frees the buffer via info_ptr, but the corresponding pointer in png_ptr remains dangling. Subsequent row-transform functions may dereference or write to this freed memory, leading to use-after-free conditions. Additionally, repeated calls to png_set_tRNS or png_set_PLTE exacerbate the issue because these functions internally free and reallocate buffers, perpetuating dangling pointers. This vulnerability can cause memory corruption, potentially leading to arbitrary code execution, denial of service, or information disclosure. The flaw has existed since at least libpng 1.0 for trans_alpha and 1.2.1 for palette aliasing. The issue was addressed and fixed in libpng version 1.6.56. The CVSS v3.1 score is 7.5, reflecting a high severity with network attack vector, high impact on confidentiality, integrity, and availability, but requiring user interaction and high attack complexity.

Given libpng’s widespread integration in numerous software products, including web browsers, image editors, document viewers, and various server-side applications, this vulnerability poses a significant risk globally. Exploiting this use-after-free flaw could allow attackers to execute arbitrary code, crash applications, or leak sensitive information by crafting malicious PNG images. This can lead to remote code execution in client applications processing untrusted images, potentially compromising user systems or servers. The requirement for user interaction (e.g., opening a malicious image) limits automated exploitation but does not eliminate risk, especially in environments where users frequently handle PNG files from untrusted sources. The vulnerability impacts confidentiality, integrity, and availability, threatening data security and system stability. Organizations relying on libpng in their software stacks face risks of targeted attacks, supply chain compromises, or widespread malware propagation if attackers weaponize this flaw. The absence of known exploits in the wild currently reduces immediate threat but does not preclude future exploitation.

The primary mitigation is to upgrade all libpng deployments to version 1.6.56 or later, where the vulnerability is fixed. Organizations should audit all software components and dependencies that include libpng to ensure they are updated accordingly. For applications that cannot immediately upgrade, consider implementing input validation and sandboxing techniques to isolate image processing and limit the impact of potential exploitation. Employ runtime protections such as memory corruption mitigations (e.g., ASLR, DEP, and Control Flow Guard) to reduce exploitation success. Monitor for suspicious activity related to image processing and user interactions involving PNG files. Security teams should also educate users about the risks of opening untrusted images and enforce policies restricting the use of unverified PNG files. Finally, coordinate with software vendors and maintain awareness of any emerging exploits or patches related to this vulnerability.