CVE-2026-34757

EUVD-2026-20897
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
libpnglibpng
1.0.9 ≤
𝑥
< 1.6.57
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libpng1.6
bookworm
1.6.39-2+deb12u5
fixed
bookworm (security)
1.6.39-2+deb12u5
fixed
bullseye
vulnerable
bullseye (security)
1.6.37-3+deb11u4
fixed
forky
1.6.58-1
fixed
sid
1.6.58-1
fixed
trixie
1.6.48-1+deb13u5
fixed
trixie (security)
1.6.48-1+deb13u5
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libpng12-0
suse enterprise desktop 15 SP7
1.2.59-150000.4.11.1
fixed
suse enterprise sap 15 SP4
1.2.59-150000.4.11.1
fixed
suse enterprise sap 15 SP5
1.2.59-150000.4.11.1
fixed
suse enterprise sap 15 SP6
1.2.59-150000.4.11.1
fixed
suse enterprise sap 15 SP7
1.2.59-150000.4.11.1
fixed
suse enterprise server 12 SP3
1.2.59-20.14.1
fixed
suse enterprise server 12 SP5
1.2.59-20.14.1
fixed
suse enterprise server 15 SP4
1.2.59-150000.4.11.1
fixed
suse enterprise server 15 SP5
1.2.59-150000.4.11.1
fixed
suse enterprise server 15 SP6
1.2.59-150000.4.11.1
fixed
suse enterprise server 15 SP7
1.2.59-150000.4.11.1
fixed
libpng12-0-32bit
suse enterprise server 12 SP3
1.2.59-20.14.1
fixed
suse enterprise server 12 SP5
1.2.59-20.14.1
fixed
libpng12-compat-devel
suse enterprise server 12 SP5
1.2.59-20.14.1
fixed
libpng12-devel
suse enterprise desktop 15 SP7
1.2.59-150000.4.11.1
fixed
suse enterprise sap 15 SP4
1.2.59-150000.4.11.1
fixed
suse enterprise sap 15 SP5
1.2.59-150000.4.11.1
fixed
suse enterprise sap 15 SP6
1.2.59-150000.4.11.1
fixed
suse enterprise sap 15 SP7
1.2.59-150000.4.11.1
fixed
suse enterprise server 12 SP5
1.2.59-20.14.1
fixed
suse enterprise server 15 SP4
1.2.59-150000.4.11.1
fixed
suse enterprise server 15 SP5
1.2.59-150000.4.11.1
fixed
suse enterprise server 15 SP6
1.2.59-150000.4.11.1
fixed
suse enterprise server 15 SP7
1.2.59-150000.4.11.1
fixed
libpng15-15
suse enterprise server 12 SP3
1.5.22-10.10.1
fixed
suse enterprise server 12 SP5
1.5.22-10.10.1
fixed
libpng16-16
suse enterprise desktop 15 SP7
1.6.40-150600.3.20.1
fixed
suse enterprise sap 15 SP7
1.6.40-150600.3.20.1
fixed
suse enterprise server 12 SP3
1.6.8-15.24.1
fixed
suse enterprise server 15 SP7
1.6.40-150600.3.20.1
fixed
libpng16-16-32bit
suse enterprise desktop 15 SP7
1.6.40-150600.3.20.1
fixed
suse enterprise sap 15 SP7
1.6.40-150600.3.20.1
fixed
suse enterprise server 12 SP3
1.6.8-15.24.1
fixed
suse enterprise server 15 SP7
1.6.40-150600.3.20.1
fixed
libpng16-compat-devel
suse enterprise desktop 15 SP7
1.6.40-150600.3.20.1
fixed
suse enterprise sap 15 SP7
1.6.40-150600.3.20.1
fixed
suse enterprise server 15 SP7
1.6.40-150600.3.20.1
fixed
libpng16-devel
suse enterprise desktop 15 SP7
1.6.40-150600.3.20.1
fixed
suse enterprise sap 15 SP7
1.6.40-150600.3.20.1
fixed
suse enterprise server 15 SP7
1.6.40-150600.3.20.1
fixed
Common Weakness Enumeration
References
https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a
https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc
https://github.com/pnggroup/libpng/issues/836
https://github.com/pnggroup/libpng/issues/837
https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645
https://lists.debian.org/debian-lts-announce/2026/05/msg00017.html