{"id":"CVE-2026-33416","summary":"LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`","details":"LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr-\u003etrans_alpha = info_ptr-\u003etrans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr-\u003epalette = png_ptr-\u003epalette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.","aliases":["GHSA-m4pc-p4q3-4c7j"],"modified":"2026-04-22T18:29:23.622541381Z","published":"2026-03-26T16:48:54.174Z","related":["ALSA-2026:7671","ALSA-2026:7672","ALSA-2026:8052","ALSA-2026:8459","SUSE-SU-2026:1311-1","SUSE-SU-2026:1323-1","SUSE-SU-2026:1368-1","SUSE-SU-2026:1500-1","SUSE-SU-2026:21000-1","SUSE-SU-2026:21038-1","SUSE-SU-2026:21067-1","SUSE-SU-2026:21138-1","openSUSE-SU-2026:10451-1","openSUSE-SU-2026:20466-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33416.json","cwe_ids":["CWE-416"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33416.json"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/pull/824"},{"type":"ADVISORY","url":"https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33416"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pnggroup/libpng","events":[{"introduced":"f50c91b7bd6d7c539bd8820c8ab2e37a86108a44"},{"fixed":"d5515b5b8be3901aac04e5bd8bd5c89f287bcd33"}],"database_specific":{"versions":[{"introduced":"1.2.1"},{"fixed":"1.6.56"}]}}],"versions":["libpng-1.6.10-signed","libpng-1.6.11-signed","libpng-1.6.12-signed","libpng-1.6.13-signed","libpng-1.6.14-signed","libpng-1.6.15-signed","libpng-1.6.16-signed","libpng-1.6.17-signed","libpng-1.6.18-signed","libpng-1.6.2-signed","libpng-1.6.20-signed","libpng-1.6.21-signed","libpng-1.6.23-signed","libpng-1.6.24-signed","libpng-1.6.25-signed","libpng-1.6.26-signed","libpng-1.6.29-signed","libpng-1.6.3-signed","libpng-1.6.30-master-signed","libpng-1.6.30-signed","libpng-1.6.31-master-signed","libpng-1.6.31-signed","libpng-1.6.4-signed","libpng-1.6.7-signed","libpng-1.6.8-signed","libpng-1.6.9-signed","v1.2.1","v1.2.10beta1","v1.2.10beta2","v1.2.10beta3","v1.2.10beta4","v1.2.10beta5","v1.2.10beta6","v1.2.10beta7","v1.2.10rc1","v1.2.2","v1.2.2beta1","v1.2.2beta2","v1.2.2beta3","v1.2.2beta4","v1.2.2beta5","v1.2.2beta6","v1.2.2rc1","v1.2.3","v1.2.3rc1","v1.2.3rc2","v1.2.3rc3","v1.2.3rc4","v1.2.3rc5","v1.2.3rc6","v1.2.4","v1.2.4beta1","v1.2.4beta2","v1.2.4beta3","v1.2.4rc1","v1.2.5","v1.2.5beta1","v1.2.5beta2","v1.2.5rc1","v1.2.5rc2","v1.2.5rc3","v1.2.6","v1.2.6beta1","v1.2.6beta2","v1.2.6beta3","v1.2.6beta4","v1.2.6rc1","v1.2.6rc2","v1.2.6rc3","v1.2.6rc4","v1.2.6rc5","v1.2.7","v1.2.7beta1","v1.2.7beta2","v1.2.7rc1","v1.2.8","v1.2.8beta1","v1.2.8beta2","v1.2.8beta3","v1.2.8beta4","v1.2.8beta5","v1.2.8rc1","v1.2.8rc2","v1.2.8rc3","v1.2.8rc4","v1.2.8rc5","v1.2.9","v1.2.9beta1","v1.2.9beta10","v1.2.9beta11","v1.2.9beta2","v1.2.9beta3","v1.2.9beta4","v1.2.9beta5","v1.2.9beta6","v1.2.9beta7","v1.2.9beta8","v1.2.9beta9","v1.2.9rc1","v1.4.0beta1","v1.4.0beta10","v1.4.0beta100","v1.4.0beta101","v1.4.0beta102","v1.4.0beta104","v1.4.0beta105","v1.4.0beta106","v1.4.0beta107","v1.4.0beta108","v1.4.0beta109","v1.4.0beta11","v1.4.0beta12","v1.4.0beta13","v1.4.0beta14","v1.4.0beta15","v1.4.0beta16","v1.4.0beta17","v1.4.0beta18","v1.4.0beta19","v1.4.0beta2","v1.4.0beta20","v1.4.0beta21","v1.4.0beta22","v1.4.0beta23","v1.4.0beta24","v1.4.0beta25","v1.4.0beta26","v1.4.0beta27","v1.4.0beta28","v1.4.0beta29","v1.4.0beta3","v1.4.0beta30","v1.4.0beta31","v1.4.0beta32","v1.4.0beta33","v1.4.0beta34","v1.4.0beta35","v1.4.0beta36","v1.4.0beta37","v1.4.0beta38","v1.4.0beta39","v1.4.0beta4","v1.4.0beta40","v1.4.0beta41","v1.4.0beta42","v1.4.0beta43","v1.4.0beta44","v1.4.0beta45","v1.4.0beta46","v1.4.0beta47","v1.4.0beta48","v1.4.0beta49","v1.4.0beta5","v1.4.0beta50","v1.4.0beta51","v1.4.0beta52","v1.4.0beta53","v1.4.0beta54","v1.4.0beta55","v1.4.0beta56","v1.4.0beta57","v1.4.0beta58","v1.4.0beta6","v1.4.0beta60","v1.4.0beta61","v1.4.0beta62","v1.4.0beta63","v1.4.0beta64","v1.4.0beta65","v1.4.0beta66","v1.4.0beta67","v1.4.0beta68","v1.4.0beta69","v1.4.0beta7","v1.4.0beta70","v1.4.0beta71","v1.4.0beta73","v1.4.0beta75","v1.4.0beta76","v1.4.0beta77","v1.4.0beta78","v1.4.0beta79","v1.4.0beta8","v1.4.0beta80","v1.4.0beta81","v1.4.0beta82","v1.4.0beta83","v1.4.0beta84","v1.4.0beta85","v1.4.0beta86","v1.4.0beta87","v1.4.0beta89","v1.4.0beta9","v1.4.0beta90","v1.4.0beta91","v1.4.0beta92","v1.4.0beta93","v1.4.0beta94","v1.4.0beta95","v1.4.0beta96","v1.4.0beta98","v1.4.0beta99","v1.4.0rc03","v1.4.0rc04","v1.4.0rc05","v1.4.0rc06","v1.4.0rc07","v1.4.0rc08","v1.5.0","v1.5.0beta01","v1.5.0beta02","v1.5.0beta03","v1.5.0beta04","v1.5.0beta05","v1.5.0beta06","v1.5.0beta07","v1.5.0beta08","v1.5.0beta09","v1.5.0beta11","v1.5.0beta12","v1.5.0beta13","v1.5.0beta14","v1.5.0beta15","v1.5.0beta16","v1.5.0beta17","v1.5.0beta18","v1.5.0beta19","v1.5.0beta20","v1.5.0beta21","v1.5.0beta22","v1.5.0beta23","v1.5.0beta24","v1.5.0beta25","v1.5.0beta26","v1.5.0beta27","v1.5.0beta28","v1.5.0beta29","v1.5.0beta30","v1.5.0beta31","v1.5.0beta32","v1.5.0beta33","v1.5.0beta34","v1.5.0beta35","v1.5.0beta36","v1.5.0beta37","v1.5.0beta38","v1.5.0beta39","v1.5.0beta40","v1.5.0beta41","v1.5.0beta42","v1.5.0beta43","v1.5.0beta44","v1.5.0beta45","v1.5.0beta46","v1.5.0beta47","v1.5.0beta48","v1.5.0beta49","v1.5.0beta50","v1.5.0beta51","v1.5.0beta52","v1.5.0beta53","v1.5.0beta54","v1.5.0beta55","v1.5.0beta56","v1.5.0beta57","v1.5.0beta58","v1.5.0rc01","v1.5.0rc02","v1.5.0rc03","v1.5.0rc05","v1.5.0rc06","v1.5.1","v1.5.1beta01","v1.5.1beta02","v1.5.1beta03","v1.5.1beta04","v1.5.1beta05","v1.5.1beta06","v1.5.1beta07","v1.5.1beta08","v1.5.1beta09","v1.5.1beta10","v1.5.1beta11","v1.5.1rc01","v1.5.1rc02","v1.5.2","v1.5.2beta01","v1.5.2beta02","v1.5.2beta03","v1.5.2rc01","v1.5.2rc02","v1.5.2rc03","v1.5.3beta01","v1.5.3beta02","v1.5.3beta03","v1.5.3beta05","v1.5.3beta06","v1.5.3beta07","v1.5.3beta08","v1.5.3beta09","v1.5.3beta10","v1.5.3beta11","v1.5.3rc01","v1.5.3rc02","v1.5.4","v1.5.4beta01","v1.5.4beta02","v1.5.4beta03","v1.5.4beta04","v1.5.4beta05","v1.5.4beta06","v1.5.4beta07","v1.5.4beta08","v1.5.4rc01","v1.5.5","v1.5.5beta01","v1.5.5beta02","v1.5.5beta03","v1.5.5beta04","v1.5.5beta05","v1.5.5beta06","v1.5.5beta07","v1.5.5beta08","v1.5.5rc01","v1.5.6","v1.5.6beta01","v1.5.6beta02","v1.5.6beta03","v1.5.6beta04","v1.5.6beta05","v1.5.6beta06","v1.5.6beta07","v1.5.6rc01","v1.5.6rc02","v1.5.6rc03","v1.5.7beta01","v1.5.7beta02","v1.5.7beta03","v1.5.7beta04","v1.6.0","v1.6.0beta01","v1.6.0beta02","v1.6.0beta03","v1.6.0beta04","v1.6.0beta05","v1.6.0beta06","v1.6.0beta07","v1.6.0beta08","v1.6.0beta09","v1.6.0beta10","v1.6.0beta11","v1.6.0beta12","v1.6.0beta13","v1.6.0beta14","v1.6.0beta15","v1.6.0beta16","v1.6.0beta17","v1.6.0beta18","v1.6.0beta19","v1.6.0beta21","v1.6.0beta22","v1.6.0beta23","v1.6.0beta24","v1.6.0beta25","v1.6.0beta26","v1.6.0beta27","v1.6.0beta28","v1.6.0beta29","v1.6.0beta30","v1.6.0beta31","v1.6.0beta32","v1.6.0beta33","v1.6.0beta34","v1.6.0beta35","v1.6.0beta36","v1.6.0beta37","v1.6.0beta38","v1.6.0beta39","v1.6.0beta40","v1.6.0rc01","v1.6.0rc02","v1.6.0rc03","v1.6.0rc04","v1.6.0rc05","v1.6.0rc06","v1.6.0rc07","v1.6.0rc08","v1.6.1","v1.6.10","v1.6.10beta01","v1.6.10beta02","v1.6.10rc01","v1.6.10rc02","v1.6.10rc03","v1.6.11","v1.6.11beta01","v1.6.11beta02","v1.6.11beta03","v1.6.11beta04","v1.6.11beta05","v1.6.11beta06","v1.6.11rc01","v1.6.11rc02","v1.6.12","v1.6.12rc01","v1.6.12rc02","v1.6.12rc03","v1.6.13","v1.6.13beta01","v1.6.13beta02","v1.6.13beta03","v1.6.13beta04","v1.6.13rc01","v1.6.14","v1.6.14beta01","v1.6.14beta02","v1.6.14beta03","v1.6.14beta04","v1.6.14beta05","v1.6.14beta06","v1.6.14beta07","v1.6.14rc01","v1.6.14rc02","v1.6.15","v1.6.15beta01","v1.6.15beta02","v1.6.15beta03","v1.6.15beta04","v1.6.15beta05","v1.6.15beta06","v1.6.15beta07","v1.6.15beta08","v1.6.15rc01","v1.6.15rc02","v1.6.15rc03","v1.6.16","v1.6.16beta01","v1.6.16beta02","v1.6.16beta03","v1.6.16rc01","v1.6.16rc02","v1.6.16rc03","v1.6.17","v1.6.17beta01","v1.6.17beta02","v1.6.17beta03","v1.6.17beta04","v1.6.17beta05","v1.6.17rc01","v1.6.17rc02","v1.6.17rc03","v1.6.17rc04","v1.6.17rc05","v1.6.17rc06","v1.6.18","v1.6.18beta01","v1.6.18beta02","v1.6.18beta03","v1.6.18beta04","v1.6.18beta05","v1.6.18beta06","v1.6.18beta07","v1.6.18beta08","v1.6.18beta09","v1.6.18rc01","v1.6.18rc02","v1.6.18rc03","v1.6.19","v1.6.19beta01","v1.6.19beta02","v1.6.19beta03","v1.6.19beta04","v1.6.19rc01","v1.6.19rc02","v1.6.19rc03","v1.6.19rc04","v1.6.1beta01","v1.6.1beta02","v1.6.1beta03","v1.6.1beta04","v1.6.1beta05","v1.6.1beta06","v1.6.1beta07","v1.6.1beta08","v1.6.1beta09","v1.6.1rc01","v1.6.2","v1.6.20beta01","v1.6.20beta02","v1.6.20beta03","v1.6.20rc01","v1.6.20rc02","v1.6.21","v1.6.21beta01","v1.6.21beta02","v1.6.21beta03","v1.6.21rc01","v1.6.21rc02","v1.6.22","v1.6.22beta01","v1.6.22beta02","v1.6.22beta05","v1.6.22beta06","v1.6.22rc01","v1.6.22rc02","v1.6.22rc03","v1.6.23","v1.6.23beta01","v1.6.23rc01","v1.6.23rc02","v1.6.24","v1.6.24beta02","v1.6.24beta03","v1.6.24beta04","v1.6.24beta05","v1.6.24beta06","v1.6.24rc01","v1.6.24rc02","v1.6.24rc03","v1.6.25","v1.6.25beta02","v1.6.25rc04","v1.6.26","v1.6.26beta01","v1.6.26beta02","v1.6.26beta03","v1.6.26beta04","v1.6.26beta05","v1.6.26beta06","v1.6.26rc01","v1.6.27beta01","v1.6.29","v1.6.29beta02","v1.6.29beta03","v1.6.29rc01","v1.6.2beta01","v1.6.2beta02","v1.6.2rc01","v1.6.2rc02","v1.6.2rc03","v1.6.2rc04","v1.6.2rc05","v1.6.2rc06","v1.6.3","v1.6.30","v1.6.30beta01","v1.6.30beta02","v1.6.30beta03","v1.6.30beta04","v1.6.30rc01","v1.6.31","v1.6.31beta01","v1.6.31beta02","v1.6.31beta03","v1.6.31beta04","v1.6.31beta05","v1.6.31beta06","v1.6.31beta07","v1.6.31rc01","v1.6.31rc02","v1.6.32","v1.6.32beta01","v1.6.32beta02","v1.6.32beta03","v1.6.32beta05","v1.6.32beta06","v1.6.32beta07","v1.6.32beta08","v1.6.32beta09","v1.6.32beta10","v1.6.32beta11","v1.6.32rc01","v1.6.32rc02","v1.6.33","v1.6.33beta01","v1.6.33beta02","v1.6.33beta03","v1.6.33rc01","v1.6.33rc02","v1.6.34","v1.6.35","v1.6.35beta01","v1.6.36","v1.6.37","v1.6.38","v1.6.39","v1.6.3beta01","v1.6.3beta02","v1.6.3beta03","v1.6.3beta04","v1.6.3beta05","v1.6.3beta06","v1.6.3beta07","v1.6.3beta08","v1.6.3beta09","v1.6.3beta10","v1.6.3rc01","v1.6.4","v1.6.40","v1.6.41","v1.6.42","v1.6.43","v1.6.44","v1.6.45","v1.6.46","v1.6.47","v1.6.48","v1.6.49","v1.6.4beta02","v1.6.4rc01","v1.6.5","v1.6.50","v1.6.51","v1.6.52","v1.6.53","v1.6.54","v1.6.55","v1.6.6","v1.6.7","v1.6.7beta01","v1.6.7beta02","v1.6.7beta03","v1.6.7beta04","v1.6.7rc01","v1.6.7rc02","v1.6.8","v1.6.8beta01","v1.6.8beta02","v1.6.8rc02","v1.6.9","v1.6.9beta01","v1.6.9beta02","v1.6.9beta03","v1.6.9rc01","v1.6.9rc02"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33416.json","vanir_signatures":[{"id":"CVE-2026-33416-053d8287","source":"https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33","signature_version":"v1","target":{"file":"pngtest.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["277710390577621166110153611286032748480","37812626001429359030407727102204306192","235108146190051955392336492964133331294","308819439959077714989618121299124277555","260397287775790088579463485285595959002"]},"deprecated":false},{"id":"CVE-2026-33416-9a8d3ae7","source":"https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33","signature_version":"v1","target":{"file":"png.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["195793623419483107751349550499422338653","241481619897360395005270248340996576576","333957916052778635910280086895133772621","73182602440664933896353205027083131409","119279519610455638020139458056230155289","215279933436747534013670962459111392399"]},"deprecated":false},{"id":"CVE-2026-33416-dc375153","signature_version":"v1","source":"https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33","target":{"file":"png.h"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["166375070723291529406421301066248769034","275647010778297936193963675511576832388","256826767335212246520616614652191899280","279336807821086835335477021495116274772","53629475448747437379627006107537775352","46568612355367798241902050586166833318","245452045998668159989023841863587304868","114709392716353867339954008479701831121"]},"deprecated":false},{"signature_version":"v1","id":"CVE-2026-33416-ed236551","source":"https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33","target":{"function":"png_get_copyright","file":"png.c"},"signature_type":"Function","digest":{"length":481,"function_hash":"241740084829777515414352894687164664979"},"deprecated":false}],"vanir_signatures_modified":"2026-04-12T20:12:39Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}