| Package | libpng1.6 |
|---|---|
| Version | 1.6.36-6+deb10u4 (buster) |
| Related CVEs | CVE-2026-34757 CVE-2026-40930 |
Two security vulnerabilities has been discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could leading to corrupted chunk data and potential heap information disclosure.
CVE-2026-34757
Passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct).
CVE-2026-40930
Three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to png_process_data. The practical impact depends on the application's CRC error handling configuration and may be denial of service (image fails to load - this is the default configuration) or if an application explictly chooses relaxed CRC handling the rendered image contains attacker-chosen content. A crafted fake length that exceeds the carrier chunk body would cause cascading desynchronization beyond the carrier chunk boundary.
The attack requires a malicious PNG delivered over the network and opened by a push-mode application. Sequential-mode reading is not affected.
Additionally this update fixes an upstream regression for CVE-2026-33416, released with ELA-1674-1, where when a transform modifying the palette were the only transform, a stale palette data has been used.
For Debian 10 buster, these problems have been fixed in version 1.6.36-6+deb10u4.
We recommend that you upgrade your libpng1.6 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.