CVE-2026-33416: CWE-416: Use After Free in pnggroup libpng
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
AI Analysis
Technical Summary
Libpng, a widely used library for handling PNG images, contains a use-after-free vulnerability in versions 1.2.1 through 1.6.55. The vulnerability occurs because the functions png_set_tRNS and png_set_PLTE alias heap-allocated buffers between png_struct and png_info, sharing a single allocation with independent lifetimes. When png_free_data is called with PNG_FREE_TRNS or PNG_FREE_PLTE, it frees the buffer through info_ptr, leaving the corresponding pointer in png_ptr dangling. Subsequent row-transform functions may dereference or write to this freed memory, causing use-after-free conditions. This flaw is resolved in version 1.6.56.
Potential Impact
Successful exploitation can lead to high impact including potential arbitrary code execution, data corruption, or denial of service due to use-after-free memory corruption. The vulnerability affects confidentiality, integrity, and availability as indicated by the CVSS vector (C:H/I:H/A:H). No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
A fix is available in libpng version 1.6.56. Users and developers should upgrade to version 1.6.56 or later to remediate this vulnerability. No vendor advisory was provided in the input, but the version information clearly indicates the fixed release. Until upgrading, avoid processing untrusted PNG files with affected versions to reduce risk.
CVE-2026-33416: CWE-416: Use After Free in pnggroup libpng
Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Libpng, a widely used library for handling PNG images, contains a use-after-free vulnerability in versions 1.2.1 through 1.6.55. The vulnerability occurs because the functions png_set_tRNS and png_set_PLTE alias heap-allocated buffers between png_struct and png_info, sharing a single allocation with independent lifetimes. When png_free_data is called with PNG_FREE_TRNS or PNG_FREE_PLTE, it frees the buffer through info_ptr, leaving the corresponding pointer in png_ptr dangling. Subsequent row-transform functions may dereference or write to this freed memory, causing use-after-free conditions. This flaw is resolved in version 1.6.56.
Potential Impact
Successful exploitation can lead to high impact including potential arbitrary code execution, data corruption, or denial of service due to use-after-free memory corruption. The vulnerability affects confidentiality, integrity, and availability as indicated by the CVSS vector (C:H/I:H/A:H). No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
A fix is available in libpng version 1.6.56. Users and developers should upgrade to version 1.6.56 or later to remediate this vulnerability. No vendor advisory was provided in the input, but the version information clearly indicates the fixed release. Until upgrading, avoid processing untrusted PNG files with affected versions to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-19T17:02:34.172Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c569d6f4197a8e3be94d7b
Added to database: 3/26/2026, 5:16:06 PM
Last enriched: 4/3/2026, 12:56:59 PM
Last updated: 5/9/2026, 9:44:16 PM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.