Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-33416

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 weeks, 5 days ago

LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.

References

https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j x_refsource_CONFIRM
https://github.com/pnggroup/libpng/pull/824 x_refsource_MISC
https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb x_refsource_MISC
https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667 x_refsource_MISC
https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 x_refsource_MISC
https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 x_refsource_MISC

Affected products

libpng

==>= 1.2.1, < 1.6.56

Matching in nixpkgs

pkgs.libpng

Official reference implementation for the PNG file format with animation patch

nixos-unstable 1.6.55
- nixpkgs-unstable 1.6.55
- nixos-unstable-small 1.6.55
nixos-25.11 1.6.55
- nixos-25.11-small 1.6.55
- nixpkgs-25.11-darwin 1.6.55

pkgs.libpng12

Official reference implementation for the PNG file format

nixos-unstable 1.2.59
- nixpkgs-unstable 1.2.59
- nixos-unstable-small 1.2.59
nixos-25.11 1.2.59
- nixos-25.11-small 1.2.59
- nixpkgs-25.11-darwin 1.2.59

pkgs.perlPackages.ImagePNGLibpng

Perl interface to libpng

nixos-unstable 0.59
- nixpkgs-unstable 0.59
- nixos-unstable-small 0.59
nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.perl5Packages.ImagePNGLibpng

Perl interface to libpng

nixos-unstable 0.59
- nixpkgs-unstable 0.59
- nixos-unstable-small 0.59

pkgs.perl538Packages.ImagePNGLibpng

Perl interface to libpng

nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.perl540Packages.ImagePNGLibpng

Perl interface to libpng

nixos-25.11 0.59
- nixos-25.11-small 0.59
- nixpkgs-25.11-darwin 0.59

pkgs.tests.pkg-config.defaultPkgConfigPackages.libpng

Test whether libpng-apng-1.6.46 exposes pkg-config modules libpng

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

Package maintainers

@vcunat Vladimír Čunát <v@cunat.cz>