CVE-2026-34757

Published: April 9th, 2026
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.
MEDIUM
CVSS v3: 5.1

Status

DocFilters Release Package State Justification Comment
26.2 libpng (1.6.40) Resolved Code Not Present Patched applied from https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a
26.1 libpng (1.6.40) Needs Triage
25.4 libpng (1.6.40) Needs Triage
25.3 libpng (1.6.40) Needs Triage
25.2 libpng (1.6.40) Needs Triage
25.1 libpng (1.6.40) Needs Triage
24.4 libpng (1.6.40) Needs Triage
24.4.0 libpng (1.6.40) Needs Triage
24.3 libpng (1.6.40) Needs Triage
24.2 libpng (1.6.40) Needs Triage
24.1 libpng (1.6.40) Needs Triage
23.3 libpng (1.6.40) Needs Triage
23.2 libpng (1.6.37) Needs Triage
23.1 libpng (1.6.37) Needs Triage
22.4 libpng (1.6.37) Needs Triage
22.3 libpng (1.6.37) Needs Triage
22.2 libpng (1.6.37) Needs Triage
22.1 libpng (1.6.37) Needs Triage
21.11 libpng (1.6.37) Needs Triage
21.8 libpng (1.6.37) Needs Triage
21.5.0 libpng (1.6.37) Needs Triage
21.2.0 libpng (1.6.37) Needs Triage
11.4.19.3667 libpng (1.6.37) Needs Triage
11.4.18.3599 libpng (1.6.37) Needs Triage
11.4.16.3445 libpng (1.6.28) Needs Triage
11.4.15.3368 libpng (1.6.28) Needs Triage
11.4.14.3263 libpng (1.6.28) Needs Triage
11.4.13.3179 libpng (1.6.28) Needs Triage
11.4.12.3054 libpng (1.6.28) Needs Triage
11.4.11.3040 libpng (1.6.28) Needs Triage
11.4.11.2990 libpng (1.6.28) Needs Triage
11.4.10.2934 libpng (1.6.28) Needs Triage
11.4.9.2878 libpng (1.6.28) Needs Triage
11.4.8.2822 libpng (1.6.28) Needs Triage

Severity score breakdown

Attack Complexity
LOW
Attack Vector
LOCAL
Availability Impact
NONE
Base Score
5.1
Base Severity
MEDIUM
Confidentiality Impact
LOW
Integrity Impact
LOW
Privileges Required
NONE
Scope
UNCHANGED
User Interaction
NONE
Vector String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Version
3.1

References