Harry Sintonen#libpng 1.6.56 fixes two high-severity vulnerabilities: CVE-2026-33416 and CVE-2026-33636.
Out of these CVE-2026-33416: Use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE is particularly serious as arbitrary code execution has been demonstrated. Applications that call png_free_data() to release memory between png_read_info() and png_read_update_info() are affected.
https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
The second vulnerability CVE-2026-33636: Out-of-bounds read/write in the palette expansion on ARM Neon is of more limited concern as only crashes has been demonstrated. More serious impacts have not been ruled out, however.
https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
