Two significant security vulnerabilities have been identified in libpng, a critical library used extensively for processing PNG images. These weaknesses enable attackers to crash processes, access sensitive data, and potentially execute arbitrary code by exploiting a crafted PNG file.
Impact on Systems
The vulnerabilities pose a considerable risk to any software that processes malformed images, affecting web applications, embedded systems, and server-side image processing setups. With the ability to compromise system integrity, these flaws demand urgent attention.
Details of the Use-After-Free Flaw
The first issue, identified as CVE-2026-33416, involves a Use-After-Free flaw due to pointer aliasing. In versions of libpng up to 1.6.55, memory allocation is shared across two structures, leading to a dangling pointer when one memory is freed. Attackers can manipulate transparency values in a PNG file to control memory buffer corruption, potentially executing arbitrary code on unprotected systems.
ARM-Specific Out-of-Bounds Flaw
The second vulnerability, CVE-2026-33636, concerns an out-of-bounds read and write issue on ARM and AArch64 hardware. Located in the ARM Neon-optimized code, this flaw arises during 8-bit palette expansion, leading to memory access errors. While arbitrary code execution is not confirmed, the flaw can cause process crashes, posing a threat to system availability.
Administrators are advised to update libpng to versions 1.6.56 or 1.8.0, which resolve these vulnerabilities by isolating pointer allocations and correcting ARM loop boundaries. Alternatively, disabling hardware optimizations can temporarily mitigate the out-of-bounds issue, albeit with reduced performance.
For ongoing cybersecurity updates, follow us on Google News, LinkedIn, and X. Contact us to share your cybersecurity stories.
