What is CVE-2026-33416?

CVE-2026-33416 is a high-severity vulnerability in Pnggroup Libpng, classified under Use After Free. CVSS score: 7.5/10. Published 2026-03-26.

How severe is CVE-2026-33416?

High severity. CVSS v3 base score is 7.5 out of 10.

Use After Free in Pnggroup Libpng

CVE-2026-33416

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buf…

Vulnerability class: Use-After-Free

EPSS: 0.000 (7.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Pnggroup Libpng — versions >= 1.2.1, < 1.6.56

Weakness classification (CWE)

CWE-416 — Use After Free

References

https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j (x_refsource_CONFIRM)
https://github.com/pnggroup/libpng/pull/824 (x_refsource_MISC)
https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb (x_refsource_MISC)
https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667 (x_refsource_MISC)
https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 (x_refsource_MISC)
https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33416?: CVE-2026-33416 is a high-severity vulnerability in Pnggroup Libpng, classified under Use After Free. CVSS score: 7.5/10. Published 2026-03-26.
How severe is CVE-2026-33416?: High severity. CVSS v3 base score is 7.5 out of 10.