{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33416", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.172Z", "datePublished": "2026-03-26T16:48:54.174Z", "dateUpdated": "2026-04-01T03:55:17.603Z"}, "containers": {"cna": {"title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"}, {"name": "https://github.com/pnggroup/libpng/pull/824", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/pull/824"}, {"name": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"}, {"name": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"}, {"name": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"}, {"name": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"}], "affected": [{"vendor": "pnggroup", "product": "libpng", "versions": [{"version": ">= 1.2.1, < 1.6.56", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:48:54.174Z"}, "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."}], "source": {"advisory": "GHSA-m4pc-p4q3-4c7j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33416"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T03:55:17.603Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33416", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:49:05.196519Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:41.189Z"}}], "cna": {"title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`", "source": {"advisory": "GHSA-m4pc-p4q3-4c7j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pnggroup", "product": "libpng", "versions": [{"status": "affected", "version": ">= 1.2.1, < 1.6.56"}]}], "references": [{"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j", "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pnggroup/libpng/pull/824", "name": "https://github.com/pnggroup/libpng/pull/824", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb", "name": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667", "name": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25", "name": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1", "name": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:48:54.174Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33416", "state": "PUBLISHED", "dateUpdated": "2026-04-01T03:55:17.603Z", "dateReserved": "2026-03-19T17:02:34.172Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T16:48:54.174Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "matchCriteriaId": "C54F2804-F7D5-4BC5-B39A-44300C6A6F98", "versionEndExcluding": "1.6.56", "versionStartIncluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."}, {"lang": "es", "value": "LIBPNG es una biblioteca de referencia para su uso en aplicaciones que leen, crean y manipulan archivos de imagen r\u00e1ster PNG (Portable Network Graphics). En las versiones 1.2.1 a 1.6.55, 'png_set_tRNS' y 'png_set_PLTE' cada una aliasan un b\u00fafer asignado en el heap entre 'png_struct' y 'png_info', compartiendo una \u00fanica asignaci\u00f3n entre dos estructuras con vidas \u00fatiles independientes. El aliasing de 'trans_alpha' ha estado presente desde al menos libpng 1.0, y el aliasing de 'palette' desde al menos 1.2.1. Ambos afectan a todas las l\u00edneas de versiones anteriores: 'png_set_tRNS' establece 'png_ptr-&gt;trans_alpha = info_ptr-&gt;trans_alpha' (b\u00fafer de 256 bytes) y 'png_set_PLTE' establece 'info_ptr-&gt;palette = png_ptr-&gt;palette' (b\u00fafer de 768 bytes). En ambos casos, llamar a 'png_free_data' (con 'PNG_FREE_TRNS' o 'PNG_FREE_PLTE') libera el b\u00fafer a trav\u00e9s de 'info_ptr' mientras que el puntero 'png_ptr' correspondiente permanece colgante. Las funciones de transformaci\u00f3n de fila subsiguientes desreferencian y, en algunas rutas de c\u00f3digo, escriben en la memoria liberada. Una segunda llamada a 'png_set_tRNS' o 'png_set_PLTE' tiene el mismo efecto, porque ambas funciones llaman internamente a 'png_free_data' antes de reasignar el b\u00fafer de 'info_ptr'. La versi\u00f3n 1.6.56 corrige el problema."}], "id": "CVE-2026-33416", "lastModified": "2026-04-02T20:28:33.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:38.443", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Exploit"], "url": "https://github.com/pnggroup/libpng/pull/824"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "libpng: libpng: Arbitrary code execution due to use-after-free vulnerability", "id": "2451805", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451805"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in libpng, a library used for processing PNG (Portable Network Graphics) image files. This vulnerability arises from improper memory management where a heap-allocated buffer is aliased between internal data structures. When specific functions are called, a freed memory region can still be referenced, leading to a use-after-free condition. An attacker could potentially exploit this to achieve arbitrary code execution or cause a denial of service."], "mitigation": {"lang": "en:us", "value": "To reduce exposure, avoid processing untrusted PNG image files with applications that utilize libpng. Restricting the source of PNG images to trusted origins can limit the attack surface."}, "name": "CVE-2026-33416", "package_state": [{"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-11-openjdk", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-21-openjdk-vanilla", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk_els:11", "fix_state": "Affected", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 11 ELS"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-17-openjdk-portable", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-21-openjdk-vanilla", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Affected", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Affected", "package_name": "java-1.8.0-openjdk-portable", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Affected", "package_name": "java-21-openjdk-vanilla", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-21-openjdk-portable", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-21-openjdk-vanilla", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:21", "fix_state": "Affected", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 21"}, {"cpe": "cpe:/a:redhat:openjdk:25", "fix_state": "Affected", "package_name": "java-25-openjdk-portable", "product_name": "Red Hat build of OpenJDK 25"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "java-25-openjdk", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "libpng12", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libpng12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libpng15", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mingw-libpng", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "java-21-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "java-25-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libpng15", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-26T16:48:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33416\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33416\nhttps://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb\nhttps://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667\nhttps://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25\nhttps://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1\nhttps://github.com/pnggroup/libpng/pull/824\nhttps://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.1,1.6.56)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "libpng", "source": "cna", "vendor": "pnggroup"}, "product": "libpng", "vendor": "pnggroup"}], "analysis": {"en": {"generated_at": "2026-04-02T22:16:37.082426+00:00", "value": {"mitigation_remediation": ["Upgrade libpng to version 1.6.56 or later."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free leading to memory corruption and potential arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The affected product is libpng released by pnggroup. All versions from 1.2.1 through 1.6.55 contain the flaw. Applications that link to these libpng releases and process PNG files with tRNS or PLTE chunks are at risk.", "description_and_impact": "The vulnerability in libpng arises from pointer aliasing between png_struct and png_info. The trans_alpha buffer set by png_set_tRNS and the palette buffer set by png_set_PLTE share a single heap allocation. After png_free_data frees the buffer through one struct, the other\u2019s pointer remains dangling. Subsequent processing of PNG data can dereference or write to this freed memory, potentially causing a crash or allowing an attacker to execute arbitrary code, thereby compromising integrity and availability.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an application to parse a PNG file and later invoke png_set_tRNS or png_set_PLTE, triggering the use\u2011after\u2011free during subsequent row\u2011transform operations. Though the exact attack vector is not specified, an attacker can trigger the flaw by supplying a crafted PNG\u2014potentially via a network connection if the application accepts external image data\u2014leading to arbitrary code execution or denial of service. The risk remains significant where such image processing is performed."}}}}, "created": "2026-03-27T08:33:42.943919+00:00", "updated": "2026-04-03T09:38:59.319248+00:00", "vendors": ["pnggroup", "pnggroup$PRODUCT$libpng"]}