CVE-2026-34757
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in libpng Setters Causes Memory Corruption

Publication date: 2026-04-09

Last updated on: 2026-05-09

Assigner: GitHub, Inc.

Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-05-09
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34757
EUVD
EUVD-2026-20897
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pnggroup libpng From 1.0.9 (inc) to 1.6.57 (exc)
pnggroup libpng 1.6.57
pnggroup libpng 1.6.56
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34757 is a use-after-free vulnerability in the libpng library affecting the functions png_set_PLTE, png_set_tRNS, and png_set_hIST. The issue arises when a pointer obtained from the corresponding getter functions (png_get_PLTE, png_get_tRNS, or png_get_hIST) is passed directly back into the corresponding setter functions without copying. The setter functions free the internal buffer before copying data from the caller-supplied pointer, which aliases the now-freed internal buffer. This leads to reading from freed heap memory, causing undefined behavior such as heap corruption, crashes, or data corruption.

Technically, the vulnerability is caused by the setter functions assuming the input pointer is independent of the internal buffers they free. However, the getters expose direct pointers to internal buffers, violating this assumption. When the setter frees the internal buffer and then copies from the caller pointer (which points to the freed memory), a use-after-free occurs.

This vulnerability can be triggered by a typical usage pattern where an application calls a getter to obtain a pointer to internal data and then passes that pointer back into the setter without duplicating it first.

Impact Analysis

The vulnerability can lead to heap use-after-free reads, which cause undefined behavior in applications using libpng. This may result in process crashes, data corruption, or nondeterministic behavior depending on the memory allocator state.

Under memory error detection tools like AddressSanitizer (ASan), the vulnerability reliably triggers process aborts due to heap-use-after-free errors during memcpy operations inside the setter functions.

In non-sanitized builds, the undefined behavior can cause silent corruption of PNG chunk metadata or leak unrelated heap contents into PNG structures, potentially compromising data integrity.

Because the vulnerability arises from the public API contract, downstream applications and language bindings that use the getter-to-setter pattern without copying are realistically at risk of encountering this issue accidentally.

Detection Guidance

This vulnerability is a use-after-free bug in the libpng library triggered by passing pointers obtained from getter functions (such as png_get_PLTE, png_get_tRNS, or png_get_hIST) directly back into their corresponding setter functions without copying. Detection involves identifying this specific usage pattern in applications using libpng.

To detect the vulnerability on your system, you can run tests or tools that monitor for heap use-after-free errors during PNG processing, especially when applications perform a 'get, then set back' operation on palette, transparency, or histogram data.

A practical approach is to run the libpng test executable 'pnggetset' (introduced in the fix) which performs roundtrip tests on PLTE, tRNS, and hIST chunks to verify if the vulnerability is present.

If you want to detect the issue dynamically, running your PNG-processing applications under AddressSanitizer (ASan) or similar memory error detectors can reveal heap use-after-free errors triggered by this vulnerability.

There are no specific network commands to detect this vulnerability since it is a library-level bug, but you can audit your software versions and usage patterns.

Mitigation Strategies

The primary mitigation is to upgrade libpng to version 1.6.57 or later, where this vulnerability has been fixed by safely handling pointer aliasing between getter and setter functions.

If upgrading immediately is not possible, avoid passing pointers obtained from getter functions (png_get_PLTE, png_get_tRNS, png_get_hIST) directly back into their corresponding setter functions without first copying the data into a separate buffer.

As a workaround, modify your application code to duplicate the data returned by the getter before passing it to the setter, preventing the setter from reading from freed memory.

Additionally, running your applications under memory sanitizers like AddressSanitizer can help detect and prevent crashes caused by this vulnerability during testing.

Finally, review and apply any patches or updates provided by libpng maintainers that address this issue.

Compliance Impact

The provided information about CVE-2026-34757 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart