CVE-2026-33416

{"id": "CVE-2026-33416", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2026-03-26T17:16:38.443", "references": [{"url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnggroup/libpng/pull/824", "tags": ["Issue Tracking", "Exploit"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."}, {"lang": "es", "value": "LIBPNG es una biblioteca de referencia para su uso en aplicaciones que leen, crean y manipulan archivos de imagen r\u00e1ster PNG (Portable Network Graphics). En las versiones 1.2.1 a 1.6.55, 'png_set_tRNS' y 'png_set_PLTE' cada una aliasan un b\u00fafer asignado en el heap entre 'png_struct' y 'png_info', compartiendo una \u00fanica asignaci\u00f3n entre dos estructuras con vidas \u00fatiles independientes. El aliasing de 'trans_alpha' ha estado presente desde al menos libpng 1.0, y el aliasing de 'palette' desde al menos 1.2.1. Ambos afectan a todas las l\u00edneas de versiones anteriores: 'png_set_tRNS' establece 'png_ptr->trans_alpha = info_ptr->trans_alpha' (b\u00fafer de 256 bytes) y 'png_set_PLTE' establece 'info_ptr->palette = png_ptr->palette' (b\u00fafer de 768 bytes). En ambos casos, llamar a 'png_free_data' (con 'PNG_FREE_TRNS' o 'PNG_FREE_PLTE') libera el b\u00fafer a trav\u00e9s de 'info_ptr' mientras que el puntero 'png_ptr' correspondiente permanece colgante. Las funciones de transformaci\u00f3n de fila subsiguientes desreferencian y, en algunas rutas de c\u00f3digo, escriben en la memoria liberada. Una segunda llamada a 'png_set_tRNS' o 'png_set_PLTE' tiene el mismo efecto, porque ambas funciones llaman internamente a 'png_free_data' antes de reasignar el b\u00fafer de 'info_ptr'. La versi\u00f3n 1.6.56 corrige el problema."}], "lastModified": "2026-04-02T20:28:33.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C54F2804-F7D5-4BC5-B39A-44300C6A6F98", "versionEndExcluding": "1.6.56", "versionStartIncluding": "1.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}