CVE-2026-33416
Published: 26 March 2026
Summary
CVE-2026-33416 is a high-severity Use After Free (CWE-416) vulnerability in Libpng Libpng. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-33416 is a use-after-free vulnerability (CWE-416) in the LIBPNG library, a reference implementation for reading, creating, and manipulating PNG raster image files. The issue affects versions 1.2.1 through 1.6.55 and stems from the `png_set_tRNS` and `png_set_PLTE` functions, which alias heap-allocated buffers between `png_struct` and `png_info` structures that have independent lifetimes. Specifically, `png_set_tRNS` shares a 256-byte `trans_alpha` buffer, and `png_set_PLTE` shares a 768-byte `palette` buffer. Calling `png_free_data` with `PNG_FREE_TRNS` or `PNG_FREE_PLTE` frees the buffer via `info_ptr`, leaving a dangling pointer in `png_ptr`. Subsequent row-transform functions then dereference and potentially write to the freed memory. A second call to either function triggers the same issue, as they internally invoke `png_free_data` before reallocating.
Remote attackers can exploit this vulnerability over a network with no privileges required, though it demands high attack complexity and user interaction, such as convincing a user to process a malicious PNG file in an affected application. Successful exploitation leads to high-impact consequences, including arbitrary code execution, data disclosure, or denial of service, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). Applications embedding LIBPNG for PNG handling are at risk if they invoke these functions in the described sequence.
The vulnerability is fixed in LIBPNG version 1.6.56. Mitigation involves upgrading to this patched release, with relevant changes detailed in upstream GitHub commits such as 23019269764e35ed8458e517f1897bd3c54820eb, 7ea9eea884a2328cc7fdcb3c0c00246a50d90667, a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25, and c1b0318b393c90679e6fa5bc1d329fd5d5012ec1, as well as pull request 824. Security practitioners should audit dependent libraries in software stacks and apply patches promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16258
Vulnerability details
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a…
more
single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in libpng enables RCE via crafted PNG; directly maps to drive-by (T1189), public app exploitation (T1190), malicious file user execution (T1204.002), and spearphishing attachment (T1566.001) vectors described in CVE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of flaws such as the use-after-free vulnerability in LIBPNG versions 1.2.1 through 1.6.55 by patching to version 1.6.56.
Implements memory protection mechanisms like ASLR, DEP, and stack canaries to mitigate exploitation of the dangling pointer dereference and writes in row-transform functions.
Mandates vulnerability scanning to identify systems using vulnerable LIBPNG versions affected by CVE-2026-33416, enabling targeted remediation.