Cyber Resilience

CVE-2026-33416

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33416 is a high-severity Use After Free (CWE-416) vulnerability in Libpng Libpng. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-33416 is a use-after-free vulnerability (CWE-416) in the LIBPNG library, a reference implementation for reading, creating, and manipulating PNG raster image files. The issue affects versions 1.2.1 through 1.6.55 and stems from the `png_set_tRNS` and `png_set_PLTE` functions, which alias heap-allocated buffers between `png_struct` and `png_info` structures that have independent lifetimes. Specifically, `png_set_tRNS` shares a 256-byte `trans_alpha` buffer, and `png_set_PLTE` shares a 768-byte `palette` buffer. Calling `png_free_data` with `PNG_FREE_TRNS` or `PNG_FREE_PLTE` frees the buffer via `info_ptr`, leaving a dangling pointer in `png_ptr`. Subsequent row-transform functions then dereference and potentially write to the freed memory. A second call to either function triggers the same issue, as they internally invoke `png_free_data` before reallocating.

Remote attackers can exploit this vulnerability over a network with no privileges required, though it demands high attack complexity and user interaction, such as convincing a user to process a malicious PNG file in an affected application. Successful exploitation leads to high-impact consequences, including arbitrary code execution, data disclosure, or denial of service, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). Applications embedding LIBPNG for PNG handling are at risk if they invoke these functions in the described sequence.

The vulnerability is fixed in LIBPNG version 1.6.56. Mitigation involves upgrading to this patched release, with relevant changes detailed in upstream GitHub commits such as 23019269764e35ed8458e517f1897bd3c54820eb, 7ea9eea884a2328cc7fdcb3c0c00246a50d90667, a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25, and c1b0318b393c90679e6fa5bc1d329fd5d5012ec1, as well as pull request 824. Security practitioners should audit dependent libraries in software stacks and apply patches promptly.

EU & UK References

Vulnerability details

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a…

more

single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
Why these techniques?

UAF in libpng enables RCE via crafted PNG; directly maps to drive-by (T1189), public app exploitation (T1190), malicious file user execution (T1204.002), and spearphishing attachment (T1566.001) vectors described in CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22695Same product: Libpng Libpng
CVE-2026-25646Same product: Libpng Libpng
CVE-2026-33636Same product: Libpng Libpng
CVE-2026-22801Same product: Libpng Libpng
CVE-2025-21387Shared CWE-416
CVE-2025-21394Shared CWE-416
CVE-2025-1009Shared CWE-416
CVE-2026-32198Shared CWE-416
CVE-2026-33095Shared CWE-416
CVE-2025-63651Shared CWE-416

Affected Assets

libpng
libpng
1.2.1 — 1.6.56

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws such as the use-after-free vulnerability in LIBPNG versions 1.2.1 through 1.6.55 by patching to version 1.6.56.

prevent

Implements memory protection mechanisms like ASLR, DEP, and stack canaries to mitigate exploitation of the dangling pointer dereference and writes in row-transform functions.

detect

Mandates vulnerability scanning to identify systems using vulnerable LIBPNG versions affected by CVE-2026-33416, enabling targeted remediation.

References