PNG Vulnerabilities Allow Attackers to Trigger Process Crashes, Leak Sensitive Information

Two high-severity vulnerabilities have been discovered in libpng, the widely used reference library for reading and writing PNG images.

These flaws allow attackers to trigger process crashes, leak sensitive information, and potentially execute arbitrary code by convincing a system to process a crafted PNG file.

The vulnerabilities affect any software that parses malformed images, making them a significant threat to web applications, embedded systems, and server-side image processing pipelines.

The Use-After-Free Flaw (CVE-2026-33416)

The first vulnerability, tracked as CVE-2026-33416, is a Use-After-Free flaw caused by pointer aliasing.

In libpng versions up to 1.6.55, specific memory setup functions share a single memory allocation across two internal structures with independent lifespans.

When an application calls a function to free this shared memory, one pointer is cleared while the other remains dangling.

Subsequent operations on the image row transformations mistakenly use this dangling pointer.

Because the attacker controls the transparency values inside the crafted PNG file, they can deterministically control the exact values written to the freed memory buffer.

This flaw enables heap corruption and can lead to arbitrary code execution on systems without protections like PIE or ASLR, common in legacy and embedded devices.

The crafted PNG is completely standards-compliant, meaning typical web application firewalls cannot block the malicious payload without also rejecting valid images.

The Out-of-Bounds Flaw on ARM (CVE-2026-33636)

The second vulnerability, CVE-2026-33636, is an out-of-bounds read and write issue that specifically affects ARM and AArch64 hardware architectures.

This flaw is located in the ARM Neon-optimized palette expansion code introduced in libpng version 1.6.36. During the expansion of 8-bit paletted rows, the processing loop advances in fixed-size chunks.

However, the code fails to verify if enough input pixels remain for the final iteration of the loop.

Since the program logic works backward from the end of the row buffer, the final loop iteration reads from and writes to memory addresses just before the intended buffer.

This underflow causes out-of-bounds reads that could leak sensitive heap contents, and out-of-bounds writes that corrupt adjacent heap memory.

While arbitrary code execution has not been proven for this specific bug, reliable process crashes are easily achievable, making it a severe availability threat.

Administrators and developers are strongly urged to update their libpng packages to the newly patched versions 1.6.56 or 1.8.0 immediately.

The security updates provide independently allocated copies of the affected pointers to resolve the Use-After-Free issue properly.

They also correct the loop boundaries in the ARM Neon hardware optimizations to prevent out-of-bounds memory access.

If upgrading the library is not immediately possible, organizations can apply a temporary workaround for CVE-2026-33636 by entirely recompiling libpng with hardware optimizations disabled.

However, administrators should note that this workaround may result in reduced image processing performance.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.