| Package | libpng1.6 |
|---|---|
| Version | 1.6.36-6+deb10u3 (buster) |
| Related CVEs | CVE-2026-33416 CVE-2026-33636 |
Two security vulnerabilities were discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could result in denial of service or potentially the execution of arbitrary code.
CVE-2026-33416
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`, potentially allowing arbitrary code execution
CVE-2026-33636
Out-of-bounds read/write in the palette expansion on ARM Neon, potentially causing a crash (DoS)
For Debian 10 buster, these problems have been fixed in version 1.6.36-6+deb10u3.
We recommend that you upgrade your libpng1.6 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.