DEBIAN-CVE-2026-33416

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-33416
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33416.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33416
Upstream
Downstream
Published
2026-03-26T17:16:38.443Z
Modified
2026-04-02T21:19:59.012412Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, png_set_tRNS and png_set_PLTE each alias a heap-allocated buffer between png_struct and png_info, sharing a single allocation across two structs with independent lifetimes. The trans_alpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines png_set_tRNS sets png_ptr->trans_alpha = info_ptr->trans_alpha (256-byte buffer) and png_set_PLTE sets info_ptr->palette = png_ptr->palette (768-byte buffer). In both cases, calling png_free_data (with PNG_FREE_TRNS or PNG_FREE_PLTE) frees the buffer through info_ptr while the corresponding png_ptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to png_set_tRNS or png_set_PLTE has the same effect, because both functions call png_free_data internally before reallocating the info_ptr buffer. Version 1.6.56 fixes the issue.

References

Affected packages

Debian:11 / libpng1.6

Package

Name
libpng1.6
Purl
pkg:deb/debian/libpng1.6?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.37-3+deb11u3

Affected versions

1.*
1.6.37-3
1.6.37-3+deb11u1
1.6.37-3+deb11u2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33416.json"

Debian:12 / libpng1.6

Package

Name
libpng1.6
Purl
pkg:deb/debian/libpng1.6?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.39-2+deb12u4

Affected versions

1.*
1.6.39-2
1.6.39-2+deb12u1
1.6.39-2+deb12u2
1.6.39-2+deb12u3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33416.json"

Debian:13 / libpng1.6

Package

Name
libpng1.6
Purl
pkg:deb/debian/libpng1.6?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.48-1+deb13u4

Affected versions

1.*
1.6.48-1
1.6.48-1+deb13u1
1.6.48-1+deb13u2
1.6.48-1+deb13u3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33416.json"

Debian:14 / libpng1.6

Package

Name
libpng1.6
Purl
pkg:deb/debian/libpng1.6?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.56-1

Affected versions

1.*
1.6.48-1
1.6.49-1~exp1
1.6.50-1~exp1
1.6.50-1
1.6.51-1
1.6.52-1
1.6.53-1
1.6.54-1
1.6.55-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33416.json"