PNG Vulnerabilities Allow Attackers to Trigger Crashes and Leak Sensitive Data
Security researchers have disclosed two high-severity vulnerabilities in libpng, the widely deployed reference library used for processing Portable Network Graphics (PNG) image files.
These critical flaws allow remote attackers to trigger process crashes, leak sensitive heap memory, and potentially achieve arbitrary code execution by tricking applications into processing specially crafted, standards-compliant PNG images.
Both vulnerabilities require immediate patching to secure affected software ecosystems.
CVE-2026-33416: Use-After-Free via Pointer Aliasing
The first vulnerability, tracked as CVE-2026-33416 with a High CVSS severity score of 8.1, stems from a use-after-free condition within the library’s transparency and palette-handling code.
Specifically, functions like png_set_tRNS and png_set_PLTE improperly alias a single heap-allocated buffer between the png_struct and png_info structures, which possess independent lifecycles.
When an application releases memory, the buffer is freed through one structure while leaving a dangerous dangling pointer in the other.
During subsequent image row-transform operations, the software dereferences this dangling pointer.
Because the attacker fully controls the transparency chunk values in the malicious PNG file, they can deterministically influence the data written back to the freed memory block.
This results in read-after-free conditions that can leak sensitive application data, as well as write-after-free conditions that cause severe heap corruption.
Under specific conditions, such as on embedded systems or legacy servers lacking modern memory randomization (PIE/ASLR), this memory corruption has been weaponized to demonstrate arbitrary code execution. This flaw affects libpng versions 1.2.1 through 1.6.55.
CVE-2026-33636: Out-of-Bounds Read/Write on ARM Neon
The second vulnerability, designated as CVE-2026-33636 with a High CVSS score of 7.1, is an out-of-bounds read and write flaw located in the ARM/AArch64 Neon-optimized palette expansion routines.
When expanding 8-bit paletted rows to standard color formats, the hardware-optimized loop processes the final image chunks without accurately verifying if enough input pixels remain.
By working backward from the end of the row, the loop’s final iteration dereferences pointers well before the start of the image buffer.
This architectural oversight causes the system to write attacker-influenced palette data at negative offsets from the row buffer, directly resulting in heap corruption.
While arbitrary code execution has not been proven for this specific bug, it reliably causes process crashes, leading to a high-impact denial-of-service condition.
It also enables out-of-bounds reads that may leak sensitive heap contents through decoded pixel outputs.
This issue is strictly limited to ARM/AArch64 environments compiled with Neon optimizations enabled, impacting versions 1.6.36 through 1.6.55.
To mitigate these security risks, organizations must urgently upgrade to libpng version 1.6.56 or the 1.8.0 trunk release, which correctly decouple memory lifetimes and enforce strict loop boundaries.
For environments that cannot patch CVE-2026-33636 immediately, administrators can apply a temporary workaround by disabling ARM Neon hardware optimizations setting the compiler flag -DPNG_ARM_NEON_OPT=0 during the build process to avoid the vulnerable code path entirely.