| Package | libpng1.6 |
|---|---|
| Version | 1.6.28-1+deb9u5 (stretch) |
| Related CVEs | CVE-2026-34757 |
A security vulnerability has been discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could leading to corrupted chunk data and potential heap information disclosure.
CVE-2026-34757
Passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct).
Additionally this update fixes an upstream regression for CVE-2026-33416, released with ELA-1674-1, where when a transform modifying the palette were the only transform, a stale palette data has been used.
For Debian 9 stretch, these problems have been fixed in version 1.6.28-1+deb9u5.
We recommend that you upgrade your libpng1.6 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.