Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAAoVtZwZrCcUGJsGh9WKpd7gvSq0o0wFO=RB-VCxoHmdv-GONA@mail.gmail.com>
Date: Thu, 9 Apr 2026 02:29:32 +0300
From: Cosmin Truta <ctruta@...il.com>
To: oss-security@...ts.openwall.com
Subject: libpng 1.6.57: Use-after-free vulnerability fixed: CVE-2026-34757

Hello, everyone,

libpng 1.6.57 has been released, fixing a medium-severity
use-after-free vulnerability in the chunk setter API, including a
long-standing defect in png_set_hIST present since at least 1.0.9
and regressions in png_set_PLTE and png_set_tRNS introduced in
1.6.56.

Users should either upgrade to libpng 1.6.57 or apply the fixes
described below.

=== CVE-2026-34757 ===

Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST
leading to corrupted chunk data and potential heap information
disclosure

Security advisory:
https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645

Fixes:
https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a
https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc

CVSS 3.1: 5.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-416 (Use-After-Free)
Affected (png_set_PLTE, png_set_tRNS): libpng 1.6.56 only
Affected (png_set_hIST): all versions since at least libpng 1.0.9
Fixed: libpng 1.6.57

Passing a pointer obtained from png_get_PLTE, png_get_tRNS, or
png_get_hIST back into the corresponding setter on the same
png_struct/png_info pair causes the setter to free the internal
buffer before copying from the caller-supplied pointer, which now
dangles. The subsequent copy reads from freed memory, producing
corrupted chunk data or leaking unrelated heap contents into the
chunk struct.

The png_set_PLTE and png_set_tRNS defects are regressions
introduced by the CVE-2026-33416 fix in libpng 1.6.56; earlier
versions tolerated the aliased pointer by accident. The
png_set_hIST defect has been present since at least libpng 1.0.9.

The defect cannot be triggered by a crafted PNG file alone; it
requires the application to call the getter and setter in sequence
on the same struct pair. Any valid image carrying the relevant
chunk suffices to populate the internal pointer that the
application then aliases.

Impact:
- Corrupted chunk data: the setter copies stale or reallocated heap
  contents into the replacement buffer, silently corrupting chunk
  metadata
- Information disclosure: unrelated heap data may become visible
  through subsequent getter calls

The same release also hardens the append-style setters
(png_set_text, png_set_sPLT, png_set_unknown_chunks) against a
theoretical variant of the same aliasing pattern.

Workaround: applications that pass a getter's return value back to
the corresponding setter on the same struct pair can simply remove
the redundant setter call, or copy the getter's output into a
caller-owned buffer before passing it to the setter.

Credits:
- @Iv4n550 (discovery of PLTE and tRNS defects)
- Cosmin Truta (discovery of hIST defect and fix of all defects)

=== References ===

- Release: https://github.com/pnggroup/libpng/releases/tag/v1.6.57
- libpng homepage: http://www.libpng.org/pub/png/libpng.html

---
Cosmin Truta
libpng maintainer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.