| Package | libpng1.6 |
|---|---|
| Version | 1.6.28-1+deb9u4 (stretch) |
| Related CVEs | CVE-2026-33416 |
A security vulnerabilities has been discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could result potentially the execution of arbitrary code.
CVE-2026-33416
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`, potentially allowing arbitrary code execution
For Debian 9 stretch, these problems have been fixed in version 1.6.28-1+deb9u4.
We recommend that you upgrade your libpng1.6 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.