CVE-2026-33636 is a vulnerability in libpng, a widely used library for handling PNG images, specifically affecting versions 1.6.36 through 1.6.55. The flaw resides in the ARM/AArch64 Neon-optimized palette expansion path, which is responsible for converting 8-bit paletted image rows into RGB or RGBA formats. The Neon loop processes image data backward from the end of the row, but when handling the final partial chunk, it fails to verify that sufficient input pixels remain. This results in dereferencing pointers before the start of the row buffer, causing an out-of-bounds (OOB) read and write. The OOB write corrupts memory at underflowed positions, potentially leading to undefined behavior, crashes, or exploitation. The vulnerability can be triggered by decoding attacker-controlled PNG files on ARM or AArch64 systems with Neon enabled, without requiring privileges or authentication, though user interaction is necessary to process the image. The CVSS v3.1 score is 7.6 (high), reflecting network attack vector, low complexity, no privileges required, but user interaction needed, and impacts to confidentiality, integrity, and availability. The flaw is fixed in libpng version 1.6.56. No known exploits are currently reported in the wild. Given libpng's extensive use in software and devices that process PNG images, the vulnerability poses a significant risk, especially on ARM/AArch64 platforms where Neon acceleration is common. Attackers could craft malicious PNG files to cause application crashes or potentially execute arbitrary code if combined with other vulnerabilities or memory corruption techniques.

The vulnerability can lead to memory corruption through out-of-bounds read and write operations, which may cause application crashes (denial of service) or potentially enable information disclosure or code execution under certain conditions. Since libpng is widely embedded in many applications, including web browsers, image viewers, and mobile apps, any software processing attacker-controlled PNG images on affected ARM/AArch64 systems is at risk. This could disrupt services, compromise data confidentiality and integrity, and impact availability. The requirement for user interaction (opening or processing a malicious PNG) limits automated exploitation but does not eliminate risk, especially in environments where users frequently handle untrusted images. The broad deployment of ARM/AArch64 architectures in mobile devices, IoT, and increasingly in servers and desktops amplifies the scope of affected systems. Organizations relying on vulnerable libpng versions may face increased risk of targeted attacks or malware leveraging this flaw to escalate privileges or disrupt operations.

The primary mitigation is to upgrade libpng to version 1.6.56 or later, where the vulnerability is fixed. Organizations should audit their software stacks to identify and update all components and applications that statically or dynamically link vulnerable libpng versions. For environments where immediate patching is not feasible, consider implementing input validation or sandboxing techniques to isolate image processing components and restrict the impact of potential crashes or exploits. Employ runtime protections such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and Control Flow Integrity (CFI) to reduce exploitation likelihood. Monitor for suspicious activity related to image processing and educate users about the risks of opening untrusted PNG files. Vendors and developers should rebuild and redistribute their software with the patched libpng version promptly. Additionally, security teams should track threat intelligence for any emerging exploits targeting this vulnerability.