Skip to main content

Libpng EUVDEUVD-2026-20897

| CVE-2026-34757 MEDIUM
Use After Free (CWE-416)
2026-04-09 GitHub_M
5.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.6.57
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2026-20897
Analysis Generated
Apr 09, 2026 - 15:00 vuln.today
CVE Published
Apr 09, 2026 - 14:41 nvd
MEDIUM 5.1

DescriptionGitHub Advisory

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.

AnalysisAI

Use-after-free in libpng 1.0.9 through 1.6.56 allows local attackers to leak heap memory and corrupt PNG chunk metadata by passing a pointer from png_get_PLTE, png_get_tRNS, or png_get_hIST directly into the corresponding setter function on the same structure, exploiting a freed buffer dereference. The vulnerability enables information disclosure and silent data corruption with low attack complexity and no user interaction required; fixed in version 1.6.57.

Technical ContextAI

libpng is a widely-used C library for reading and writing Portable Network Graphics (PNG) files. The vulnerability resides in the getter-setter interaction for PNG ancillary chunks: PLTE (palette), tRNS (transparency), and hIST (histogram). The root cause (CWE-416: Use After Free) occurs because the setter functions free the internal buffer before copying from the caller-supplied pointer; if that pointer was obtained from the getter on the same png_struct/png_info pair, it now points to the freed region. Subsequent heap allocations may reuse this freed memory, causing the setter to read from unrelated heap objects and copy their contents into the PNG chunk structure. This affects libpng from version 1.0.9 onward, as identified by CPE cpe:2.3:a:pnggroup:libpng:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: libpng 1.6.57. Upgrade libpng to version 1.6.57 or later. For applications using earlier versions, apply the upstream fixes referenced in commits 398cbe3df03f4e11bb031e07f416dfdde3684e8a and 55d20aaa322c9274491cda82c5cd4f99b48c6bcc (see https://github.com/pnggroup/libpng). As a temporary workaround pending patching, applications should avoid the vulnerable API pattern of passing pointers from png_get_PLTE, png_get_tRNS, or png_get_hIST directly into the corresponding setter functions; instead, allocate a fresh buffer and copy chunk data into it before calling the setter. Review https://github.com/pnggroup/libpng/issues/836 and https://github.com/pnggroup/libpng/issues/837 for additional context and implementation guidance.

More in Libpng

View all
CVE-2015-0973 HIGH POC
8.8 Jan 18

Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows

CVE-2026-25646 HIGH POC
8.3 Feb 10

Denial of service (with limited memory disclosure) in libpng before 1.6.55 lets an attacker supply a specially crafted b

CVE-2015-8540 HIGH
8.8 Apr 14

Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.

CVE-2013-6954 MEDIUM POC
6.5 Jan 12

The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL poi

CVE-2025-66293 HIGH POC
7.1 Dec 03

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics)

CVE-2025-65018 HIGH POC
7.1 Nov 25

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics)

CVE-2025-64720 HIGH POC
7.1 Nov 25

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics)

CVE-2019-6129 MEDIUM POC
6.5 Jan 11

png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. Rated medium severity (CVS

CVE-2018-14048 MEDIUM POC
6.5 Jul 13

An issue has been found in libpng 1.6.34. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,

CVE-2026-22695 MEDIUM POC
6.1 Jan 12

Libpng versions 1.6.51-1.6.53 contain a heap buffer over-read in the simplified API function png_image_finish_read when

CVE-2025-28164 MEDIUM POC
5.5 Jan 27

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_creat

CVE-2025-28162 MEDIUM POC
5.5 Jan 27

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngim

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Micro 5.2 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

EUVD-2026-20897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy