#libpng 1.6.56 fixes two high-severity vulnerabilities: CVE-2026-33416 and CVE-2026-33636.

Out of these CVE-2026-33416: Use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE is particularly serious as arbitrary code execution has been demonstrated. Applications that call png_free_data() to release memory between png_read_info() and png_read_update_info() are affected.

https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j

The second vulnerability CVE-2026-33636: Out-of-bounds read/write in the palette expansion on ARM Neon is of more limited concern as only crashes has been demonstrated. More serious impacts have not been ruled out, however.

https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

#infosec #cybersecurity #CVE_2026_33416 #CVE_2026_33636

Make_map sliced in PNG format now, and MapEdit can handle PNG tileset, using APNG specifications (since libpng 1.8.0) to store all tiles in 1 only file.

Also crashy bugs found. Thanks to the German people, my MagicOnLinux/mac is convenient enough for bugbusters sessions

#atarist #gamedev #libpng #v4sa

My new pngdec.ldg works, except for last transformation RGBA to ARGB for the TC32 screen (harsh vro_cpyfm on the screen for testing). Has to LPEEK and ROR(RGBA, 8) in my GFA code to fix...

Incidentally, my GIF slicer will become a PNG slicer too.

#atarist #v4sa #libpng

libpng 1.6.0 through 1.6.51 out-of-bounds read vulnerability CVE-2025-66293 may lead to information disclosure (or denial of service). Due to a bug processing a PNG image may lead to read of 1012 bytes past the end of an array. Depending on the contents of the memory beyond this array, some confidential information may be leaked.

The conditions for the issue to trigger require the image to processed through the simplified API with an output format without alpha and no explicit background color. This means that not every application processing PNG images is leaking information. Also a limiting factor is that the affected system would need to return the decoded image data for the information leak to happen in the first place. Finally the information would need to cross a security context (for example from server to client, from privileged process to unprivileged or from user to another user) for the leak to have a security impact.

Interestingly the images resulting in the leak are in fact fully PNG spec compliant.

libpng 1.6.0 through 1.6.51 are affected. The vulnerability is fixed in libpng 1.6.52.

source: https://www.openwall.com/lists/oss-security/2025/12/03/5

#libpng #CVE_2025_66293 #infosec #cybersecurity

It does not seem as if Debian has picked up the libpng security patches from 1.6.51 yet (for either trixie or bookworm). Four CVEs, two high, two moderate severity - "CVE-2025-65018 may enable arbitrary code execution via heap corruption in certain heap configurations".

It's just been announced, seen on oss-security, https://www.openwall.com/lists/oss-security/2025/11/22/1

I'd assume that Mastodon ends up using libpng for image processing in some way?

[edit] See discussion below: In Debian bookworm, libpng is used by Mastodon via either libvips or imagemagick (for older Mastodon versions). In Debian trixie, libvips is built against libspng instead, imagemagick still uses libpng though. There may be further mitigating factors that I don't know about.

#infosec #debian #libpng

Rediscovered an 11‑Year‑Old libpng Vulnerability

A beginner in secure code review reintroduced CVE‑2014‑9495 by fuzzing width * bit-depth overflow

https://blog.himanshuanand.com/posts/discovered-a-libpng-vulnerability-11-years-after-it-was-patched/

#libpng #IntegerOverflow