By rssfeeds-admin 
These critical flaws allow remote attackers to trigger process crashes, leak sensitive heap memory, and potentially achieve arbitrary code execution by tricking applications into processing specially crafted, standards-compliant PNG images.
Both vulnerabilities require immediate patching to secure affected software ecosystems.
The first vulnerability, tracked as CVE-2026-33416 with a High CVSS severity score of 8.1, stems from a use-after-free condition within the library’s transparency and palette-handling code.
Specifically, functions like png_set_tRNS and png_set_PLTE improperly alias a single heap-allocated buffer between the png_struct and png_info structures, which possess independent lifecycles.
When an application releases memory, the buffer is freed through one structure while leaving a dangerous dangling pointer in the other.
During subsequent image row-transform operations, the software dereferences this dangling pointer.
Because the attacker fully controls the transparency chunk values inside the malicious PNG file, they can deterministically influence the data written back to the freed memory block.
This results in read-after-free conditions that can leak sensitive application data, as well as write-after-free conditions that cause severe heap corruption.
Under specific conditions, particularly on embedded systems or legacy servers lacking modern memory randomization (PIE/ASLR), this memory corruption has been weaponized to demonstrate arbitrary code execution.
This flaw affects libpng versions 1.2.1 through 1.6.55.
The second vulnerability, designated as CVE-2026-33636 with a High CVSS score of 7.1, is an out-of-bounds read and write flaw located in the ARM/AArch64 Neon-optimized palette expansion routines.
When expanding 8-bit paletted rows to standard color formats, the hardware-optimized loop processes final image chunks without accurately verifying whether enough input pixels remain.
The loop’s final iteration dereferences pointers well before the start of the image buffer, writing attacker-influenced palette data at negative offsets from the row buffer, directly resulting in heap corruption.
While arbitrary code execution has not been proven for this bug, it reliably causes process crashes, leading to a high-impact denial-of-service condition.
It also enables out-of-bounds reads that may leak sensitive heap contents through decoded pixel outputs.
This issue is strictly limited to ARM/AArch64 environments compiled with Neon optimizations enabled, impacting versions 1.6.36 through 1.6.55.
Organizations must urgently upgrade to libpng version 1.6.56 or the 1.8.0 trunk release, which correctly decouples memory lifetimes and enforces strict loop boundaries.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post PNG Vulnerabilities Allow Attackers to Crash Systems and Leak Sensitive Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.