Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAAoVtZyv9vGho=gUKP4o7hu4pEtTFPeOODZKQTqAbeBcG8E9AA@mail.gmail.com>
Date: Thu, 26 Mar 2026 01:22:34 +0200
From: Cosmin Truta <ctruta@...il.com>
To: oss-security@...ts.openwall.com
Subject: libpng 1.6.56: Two high-severity vulnerabilities fixed:
 CVE-2026-33416, CVE-2026-33636

Hello, everyone,

libpng 1.6.56 has been released, fixing two high-severity
vulnerabilities: a use-after-free in the low-level API affecting all
versions, and an out-of-bounds read/write in the ARM Neon palette
expansion affecting versions 1.6.36 through 1.6.55.

Users should either upgrade to libpng 1.6.56 or apply the fixes
described below.

=== CVE-2026-33416 ===

Use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE

Security advisory:
https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j

Fixes:
https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667

CVSS 3.1: 7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416 (Use-After-Free)
Affected: all versions through 1.6.55
Fixed: libpng 1.6.56

png_set_tRNS and png_set_PLTE each alias a heap-allocated buffer
between png_struct and png_info, sharing a single allocation across
two structs with independent lifetimes. Calling png_free_data (or a
second call to png_set_tRNS / png_set_PLTE) frees the buffer through
info_ptr while the corresponding png_ptr pointer remains dangling.
Subsequent row-transform functions dereference and, in some code
paths, write to the freed memory.

Impact:
- Read-after-free: freed heap memory read via dangling pointer in
  row-transform functions; may leak sensitive heap contents
- Write-after-free: the PNG_READ_INVERT_ALPHA complement loop
  (trans_alpha) and bit-shift transforms (palette) write
  attacker-influenced values to freed heap memory
- Arbitrary code execution has been demonstrated in proof-of-concept
  exploits on allocators with deterministic reuse (e.g. glibc tcache)

The crafted PNG files that trigger this vulnerability are valid per
the PNG specification and pass all PNG validators.

Credits:
- Halil Oktay (discovery and fix)
- Ryo Shimada (independent discovery and exploitability demonstration)
- Cosmin Truta (follow-up fix)

=== CVE-2026-33636 ===

Out-of-bounds read/write in the palette expansion on ARM Neon

Security advisory:
https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

Fix:
https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3

CVSS 3.1: 7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
CWE: CWE-125 (Out-of-bounds Read), CWE-787 (Out-of-bounds Write)
Affected: libpng 1.6.36 through 1.6.55
Fixed: libpng 1.6.56

The ARM/AArch64 Neon-optimized palette expansion functions process
rows in fixed-size chunks (4 pixels for RGBA, 8 for RGB), working
backward from the end of the row. The loop bound permits a final
iteration when fewer than a full chunk of input pixels remain,
causing reads before the start of the row buffer and writes of
expanded pixel data to the same underflowed positions.

Impact:
- Out-of-bounds read: may leak heap contents through decoded pixel
  output, since the palette is attacker-controlled
- Out-of-bounds write: attacker-influenced palette data written at
  deterministic negative offsets from the row buffer (heap corruption)
- Denial of service: reliable process crashes confirmed

Only ARM/AArch64 builds with Neon enabled are affected. Builds
targeting Intel SSE2, PowerPC VSX, LoongArch LSX, or generic C code
are NOT affected.

Workaround: build with CFLAGS set to "-DPNG_ARM_NEON_OPT=0".

Credits:
- Taegu Ha (discovery and fix)
- Cosmin Truta (follow-up fix)

=== References ===

- Release: https://github.com/pnggroup/libpng/releases/tag/v1.6.56
- libpng homepage: http://www.libpng.org/pub/png/libpng.html

---
Cosmin Truta
libpng maintainer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.