Memory Corruption Vulnerability in LIBPNG by PNG Group
CVE-2026-34757

5.1MEDIUM

Key Information:

Vendor

Pnggroup

Status
Libpng
Vendor
CVE Published:
9 April 2026

What is CVE-2026-34757?

LIBPNG, a widely used reference library for handling PNG (Portable Network Graphics) files, has a critical issue affecting its versions prior to 1.6.57. A flaw exists where pointers obtained from functions such as png_get_PLTE, png_get_tRNS, or png_get_hIST can be incorrectly used in related setter functions. This leads to reading from previously freed memory, which may result in data corruption or leakage of sensitive information. Users are advised to update to version 1.6.57 or later to mitigate potential risks related to stale data and memory management errors.

Affected Version(s)

libpng >= 1.0.9, < 1.6.57

References

https://github.com/pnggroup/libpng/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pnggroup/libpng/issues/836
x_refsource_MISC
https://github.com/pnggroup/libpng/issues/837
x_refsource_MISC

CVSS V3.1

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.