CVE-2026-34757
Use-After-Free in libpng Setters Causes Memory Corruption
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pnggroup | libpng | From 1.0.9 (inc) to 1.6.57 (exc) |
| pnggroup | libpng | 1.6.57 |
| pnggroup | libpng | 1.6.56 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34757 is a use-after-free vulnerability in the libpng library affecting the functions png_set_PLTE, png_set_tRNS, and png_set_hIST. The issue arises when a pointer obtained from the corresponding getter functions (png_get_PLTE, png_get_tRNS, or png_get_hIST) is passed directly back into the corresponding setter functions without copying. The setter functions free the internal buffer before copying data from the caller-supplied pointer, which aliases the now-freed internal buffer. This leads to reading from freed heap memory, causing undefined behavior such as heap corruption, crashes, or data corruption.
Technically, the vulnerability is caused by the setter functions assuming the input pointer is independent of the internal buffers they free. However, the getters expose direct pointers to internal buffers, violating this assumption. When the setter frees the internal buffer and then copies from the caller pointer (which points to the freed memory), a use-after-free occurs.
This vulnerability can be triggered by a typical usage pattern where an application calls a getter to obtain a pointer to internal data and then passes that pointer back into the setter without duplicating it first.
How can this vulnerability impact me? :
The vulnerability can lead to heap use-after-free reads, which cause undefined behavior in applications using libpng. This may result in process crashes, data corruption, or nondeterministic behavior depending on the memory allocator state.
Under memory error detection tools like AddressSanitizer (ASan), the vulnerability reliably triggers process aborts due to heap-use-after-free errors during memcpy operations inside the setter functions.
In non-sanitized builds, the undefined behavior can cause silent corruption of PNG chunk metadata or leak unrelated heap contents into PNG structures, potentially compromising data integrity.
Because the vulnerability arises from the public API contract, downstream applications and language bindings that use the getter-to-setter pattern without copying are realistically at risk of encountering this issue accidentally.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a use-after-free bug in the libpng library triggered by passing pointers obtained from getter functions (such as png_get_PLTE, png_get_tRNS, or png_get_hIST) directly back into their corresponding setter functions without copying. Detection involves identifying this specific usage pattern in applications using libpng.
To detect the vulnerability on your system, you can run tests or tools that monitor for heap use-after-free errors during PNG processing, especially when applications perform a 'get, then set back' operation on palette, transparency, or histogram data.
A practical approach is to run the libpng test executable 'pnggetset' (introduced in the fix) which performs roundtrip tests on PLTE, tRNS, and hIST chunks to verify if the vulnerability is present.
If you want to detect the issue dynamically, running your PNG-processing applications under AddressSanitizer (ASan) or similar memory error detectors can reveal heap use-after-free errors triggered by this vulnerability.
There are no specific network commands to detect this vulnerability since it is a library-level bug, but you can audit your software versions and usage patterns.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade libpng to version 1.6.57 or later, where this vulnerability has been fixed by safely handling pointer aliasing between getter and setter functions.
If upgrading immediately is not possible, avoid passing pointers obtained from getter functions (png_get_PLTE, png_get_tRNS, png_get_hIST) directly back into their corresponding setter functions without first copying the data into a separate buffer.
As a workaround, modify your application code to duplicate the data returned by the getter before passing it to the setter, preventing the setter from reading from freed memory.
Additionally, running your applications under memory sanitizers like AddressSanitizer can help detect and prevent crashes caused by this vulnerability during testing.
Finally, review and apply any patches or updates provided by libpng maintainers that address this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information about CVE-2026-34757 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.