{"id":"CVE-2026-34757","summary":"LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure","details":"LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.","aliases":["GHSA-6fr7-g8h7-v645"],"modified":"2026-04-25T07:59:11.228081967Z","published":"2026-04-09T14:41:18.195Z","related":["SUSE-SU-2026:1500-1","SUSE-SU-2026:1601-1","SUSE-SU-2026:1602-1","SUSE-SU-2026:21239-1","SUSE-SU-2026:21251-1","SUSE-SU-2026:21262-1","openSUSE-SU-2026:10564-1","openSUSE-SU-2026:20593-1"],"database_specific":{"cwe_ids":["CWE-416"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34757.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34757.json"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc"},{"type":"REPORT","url":"https://github.com/pnggroup/libpng/issues/836"},{"type":"REPORT","url":"https://github.com/pnggroup/libpng/issues/837"},{"type":"ADVISORY","url":"https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34757"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pnggroup/libpng","events":[{"introduced":"d4e8109a481c9acaa84bc6db4db711a42256b6c9"},{"fixed":"95ab3fdca83ea294efd3b092e9a53c5a39886444"}],"database_specific":{"extracted_events":[{"introduced":"1.0.9"},{"fixed":"1.6.57"}],"source":"AFFECTED_FIELD"}}],"versions":["libpng-1.6.10-signed","libpng-1.6.11-signed","libpng-1.6.12-signed","libpng-1.6.13-signed","libpng-1.6.14-signed","libpng-1.6.15-signed","libpng-1.6.16-signed","libpng-1.6.17-signed","libpng-1.6.18-signed","libpng-1.6.2-signed","libpng-1.6.20-signed","libpng-1.6.21-signed","libpng-1.6.23-signed","libpng-1.6.24-signed","libpng-1.6.25-signed","libpng-1.6.26-signed","libpng-1.6.29-signed","libpng-1.6.3-signed","libpng-1.6.30-master-signed","libpng-1.6.30-signed","libpng-1.6.31-master-signed","libpng-1.6.31-signed","libpng-1.6.4-signed","libpng-1.6.7-signed","libpng-1.6.8-signed","libpng-1.6.9-signed","v1.0.10","v1.0.10beta1","v1.0.10rc1","v1.0.11","v1.0.11beta1","v1.0.11beta2","v1.0.11beta3","v1.0.11rc1","v1.0.12beta1","v1.0.9","v1.2.0","v1.2.0beta1","v1.2.0beta2","v1.2.0beta3","v1.2.0beta4","v1.2.0beta5","v1.2.0rc1","v1.2.1","v1.2.10beta1","v1.2.10beta2","v1.2.10beta3","v1.2.10beta4","v1.2.10beta5","v1.2.10beta6","v1.2.10beta7","v1.2.10rc1","v1.2.1beta1","v1.2.1beta2","v1.2.1beta3","v1.2.1beta4","v1.2.1rc1","v1.2.1rc2","v1.2.2","v1.2.2beta1","v1.2.2beta2","v1.2.2beta3","v1.2.2beta4","v1.2.2beta5","v1.2.2beta6","v1.2.2rc1","v1.2.3","v1.2.3rc1","v1.2.3rc2","v1.2.3rc3","v1.2.3rc4","v1.2.3rc5","v1.2.3rc6","v1.2.4","v1.2.4beta1","v1.2.4beta2","v1.2.4beta3","v1.2.4rc1","v1.2.5","v1.2.5beta1","v1.2.5beta2","v1.2.5rc1","v1.2.5rc2","v1.2.5rc3","v1.2.6","v1.2.6beta1","v1.2.6beta2","v1.2.6beta3","v1.2.6beta4","v1.2.6rc1","v1.2.6rc2","v1.2.6rc3","v1.2.6rc4","v1.2.6rc5","v1.2.7","v1.2.7beta1","v1.2.7beta2","v1.2.7rc1","v1.2.8","v1.2.8beta1","v1.2.8beta2","v1.2.8beta3","v1.2.8beta4","v1.2.8beta5","v1.2.8rc1","v1.2.8rc2","v1.2.8rc3","v1.2.8rc4","v1.2.8rc5","v1.2.9","v1.2.9beta1","v1.2.9beta10","v1.2.9beta11","v1.2.9beta2","v1.2.9beta3","v1.2.9beta4","v1.2.9beta5","v1.2.9beta6","v1.2.9beta7","v1.2.9beta8","v1.2.9beta9","v1.2.9rc1","v1.4.0beta1","v1.4.0beta10","v1.4.0beta100","v1.4.0beta101","v1.4.0beta102","v1.4.0beta104","v1.4.0beta105","v1.4.0beta106","v1.4.0beta107","v1.4.0beta108","v1.4.0beta109","v1.4.0beta11","v1.4.0beta12","v1.4.0beta13","v1.4.0beta14","v1.4.0beta15","v1.4.0beta16","v1.4.0beta17","v1.4.0beta18","v1.4.0beta19","v1.4.0beta2","v1.4.0beta20","v1.4.0beta21","v1.4.0beta22","v1.4.0beta23","v1.4.0beta24","v1.4.0beta25","v1.4.0beta26","v1.4.0beta27","v1.4.0beta28","v1.4.0beta29","v1.4.0beta3","v1.4.0beta30","v1.4.0beta31","v1.4.0beta32","v1.4.0beta33","v1.4.0beta34","v1.4.0beta35","v1.4.0beta36","v1.4.0beta37","v1.4.0beta38","v1.4.0beta39","v1.4.0beta4","v1.4.0beta40","v1.4.0beta41","v1.4.0beta42","v1.4.0beta43","v1.4.0beta44","v1.4.0beta45","v1.4.0beta46","v1.4.0beta47","v1.4.0beta48","v1.4.0beta49","v1.4.0beta5","v1.4.0beta50","v1.4.0beta51","v1.4.0beta52","v1.4.0beta53","v1.4.0beta54","v1.4.0beta55","v1.4.0beta56","v1.4.0beta57","v1.4.0beta58","v1.4.0beta6","v1.4.0beta60","v1.4.0beta61","v1.4.0beta62","v1.4.0beta63","v1.4.0beta64","v1.4.0beta65","v1.4.0beta66","v1.4.0beta67","v1.4.0beta68","v1.4.0beta69","v1.4.0beta7","v1.4.0beta70","v1.4.0beta71","v1.4.0beta73","v1.4.0beta75","v1.4.0beta76","v1.4.0beta77","v1.4.0beta78","v1.4.0beta79","v1.4.0beta8","v1.4.0beta80","v1.4.0beta81","v1.4.0beta82","v1.4.0beta83","v1.4.0beta84","v1.4.0beta85","v1.4.0beta86","v1.4.0beta87","v1.4.0beta89","v1.4.0beta9","v1.4.0beta90","v1.4.0beta91","v1.4.0beta92","v1.4.0beta93","v1.4.0beta94","v1.4.0beta95","v1.4.0beta96","v1.4.0beta98","v1.4.0beta99","v1.4.0rc03","v1.4.0rc04","v1.4.0rc05","v1.4.0rc06","v1.4.0rc07","v1.4.0rc08","v1.5.0","v1.5.0beta01","v1.5.0beta02","v1.5.0beta03","v1.5.0beta04","v1.5.0beta05","v1.5.0beta06","v1.5.0beta07","v1.5.0beta08","v1.5.0beta09","v1.5.0beta11","v1.5.0beta12","v1.5.0beta13","v1.5.0beta14","v1.5.0beta15","v1.5.0beta16","v1.5.0beta17","v1.5.0beta18","v1.5.0beta19","v1.5.0beta20","v1.5.0beta21","v1.5.0beta22","v1.5.0beta23","v1.5.0beta24","v1.5.0beta25","v1.5.0beta26","v1.5.0beta27","v1.5.0beta28","v1.5.0beta29","v1.5.0beta30","v1.5.0beta31","v1.5.0beta32","v1.5.0beta33","v1.5.0beta34","v1.5.0beta35","v1.5.0beta36","v1.5.0beta37","v1.5.0beta38","v1.5.0beta39","v1.5.0beta40","v1.5.0beta41","v1.5.0beta42","v1.5.0beta43","v1.5.0beta44","v1.5.0beta45","v1.5.0beta46","v1.5.0beta47","v1.5.0beta48","v1.5.0beta49","v1.5.0beta50","v1.5.0beta51","v1.5.0beta52","v1.5.0beta53","v1.5.0beta54","v1.5.0beta55","v1.5.0beta56","v1.5.0beta57","v1.5.0beta58","v1.5.0rc01","v1.5.0rc02","v1.5.0rc03","v1.5.0rc05","v1.5.0rc06","v1.5.1","v1.5.1beta01","v1.5.1beta02","v1.5.1beta03","v1.5.1beta04","v1.5.1beta05","v1.5.1beta06","v1.5.1beta07","v1.5.1beta08","v1.5.1beta09","v1.5.1beta10","v1.5.1beta11","v1.5.1rc01","v1.5.1rc02","v1.5.2","v1.5.2beta01","v1.5.2beta02","v1.5.2beta03","v1.5.2rc01","v1.5.2rc02","v1.5.2rc03","v1.5.3beta01","v1.5.3beta02","v1.5.3beta03","v1.5.3beta05","v1.5.3beta06","v1.5.3beta07","v1.5.3beta08","v1.5.3beta09","v1.5.3beta10","v1.5.3beta11","v1.5.3rc01","v1.5.3rc02","v1.5.4","v1.5.4beta01","v1.5.4beta02","v1.5.4beta03","v1.5.4beta04","v1.5.4beta05","v1.5.4beta06","v1.5.4beta07","v1.5.4beta08","v1.5.4rc01","v1.5.5","v1.5.5beta01","v1.5.5beta02","v1.5.5beta03","v1.5.5beta04","v1.5.5beta05","v1.5.5beta06","v1.5.5beta07","v1.5.5beta08","v1.5.5rc01","v1.5.6","v1.5.6beta01","v1.5.6beta02","v1.5.6beta03","v1.5.6beta04","v1.5.6beta05","v1.5.6beta06","v1.5.6beta07","v1.5.6rc01","v1.5.6rc02","v1.5.6rc03","v1.5.7beta01","v1.5.7beta02","v1.5.7beta03","v1.5.7beta04","v1.6.0","v1.6.0beta01","v1.6.0beta02","v1.6.0beta03","v1.6.0beta04","v1.6.0beta05","v1.6.0beta06","v1.6.0beta07","v1.6.0beta08","v1.6.0beta09","v1.6.0beta10","v1.6.0beta11","v1.6.0beta12","v1.6.0beta13","v1.6.0beta14","v1.6.0beta15","v1.6.0beta16","v1.6.0beta17","v1.6.0beta18","v1.6.0beta19","v1.6.0beta21","v1.6.0beta22","v1.6.0beta23","v1.6.0beta24","v1.6.0beta25","v1.6.0beta26","v1.6.0beta27","v1.6.0beta28","v1.6.0beta29","v1.6.0beta30","v1.6.0beta31","v1.6.0beta32","v1.6.0beta33","v1.6.0beta34","v1.6.0beta35","v1.6.0beta36","v1.6.0beta37","v1.6.0beta38","v1.6.0beta39","v1.6.0beta40","v1.6.0rc01","v1.6.0rc02","v1.6.0rc03","v1.6.0rc04","v1.6.0rc05","v1.6.0rc06","v1.6.0rc07","v1.6.0rc08","v1.6.1","v1.6.10","v1.6.10beta01","v1.6.10beta02","v1.6.10rc01","v1.6.10rc02","v1.6.10rc03","v1.6.11","v1.6.11beta01","v1.6.11beta02","v1.6.11beta03","v1.6.11beta04","v1.6.11beta05","v1.6.11beta06","v1.6.11rc01","v1.6.11rc02","v1.6.12","v1.6.12rc01","v1.6.12rc02","v1.6.12rc03","v1.6.13","v1.6.13beta01","v1.6.13beta02","v1.6.13beta03","v1.6.13beta04","v1.6.13rc01","v1.6.14","v1.6.14beta01","v1.6.14beta02","v1.6.14beta03","v1.6.14beta04","v1.6.14beta05","v1.6.14beta06","v1.6.14beta07","v1.6.14rc01","v1.6.14rc02","v1.6.15","v1.6.15beta01","v1.6.15beta02","v1.6.15beta03","v1.6.15beta04","v1.6.15beta05","v1.6.15beta06","v1.6.15beta07","v1.6.15beta08","v1.6.15rc01","v1.6.15rc02","v1.6.15rc03","v1.6.16","v1.6.16beta01","v1.6.16beta02","v1.6.16beta03","v1.6.16rc01","v1.6.16rc02","v1.6.16rc03","v1.6.17","v1.6.17beta01","v1.6.17beta02","v1.6.17beta03","v1.6.17beta04","v1.6.17beta05","v1.6.17rc01","v1.6.17rc02","v1.6.17rc03","v1.6.17rc04","v1.6.17rc05","v1.6.17rc06","v1.6.18","v1.6.18beta01","v1.6.18beta02","v1.6.18beta03","v1.6.18beta04","v1.6.18beta05","v1.6.18beta06","v1.6.18beta07","v1.6.18beta08","v1.6.18beta09","v1.6.18rc01","v1.6.18rc02","v1.6.18rc03","v1.6.19","v1.6.19beta01","v1.6.19beta02","v1.6.19beta03","v1.6.19beta04","v1.6.19rc01","v1.6.19rc02","v1.6.19rc03","v1.6.19rc04","v1.6.1beta01","v1.6.1beta02","v1.6.1beta03","v1.6.1beta04","v1.6.1beta05","v1.6.1beta06","v1.6.1beta07","v1.6.1beta08","v1.6.1beta09","v1.6.1rc01","v1.6.2","v1.6.20beta01","v1.6.20beta02","v1.6.20beta03","v1.6.20rc01","v1.6.20rc02","v1.6.21","v1.6.21beta01","v1.6.21beta02","v1.6.21beta03","v1.6.21rc01","v1.6.21rc02","v1.6.22","v1.6.22beta01","v1.6.22beta02","v1.6.22beta05","v1.6.22beta06","v1.6.22rc01","v1.6.22rc02","v1.6.22rc03","v1.6.23","v1.6.23beta01","v1.6.23rc01","v1.6.23rc02","v1.6.24","v1.6.24beta02","v1.6.24beta03","v1.6.24beta04","v1.6.24beta05","v1.6.24beta06","v1.6.24rc01","v1.6.24rc02","v1.6.24rc03","v1.6.25","v1.6.25beta02","v1.6.25rc04","v1.6.26","v1.6.26beta01","v1.6.26beta02","v1.6.26beta03","v1.6.26beta04","v1.6.26beta05","v1.6.26beta06","v1.6.26rc01","v1.6.27beta01","v1.6.29","v1.6.29beta02","v1.6.29beta03","v1.6.29rc01","v1.6.2beta01","v1.6.2beta02","v1.6.2rc01","v1.6.2rc02","v1.6.2rc03","v1.6.2rc04","v1.6.2rc05","v1.6.2rc06","v1.6.3","v1.6.30","v1.6.30beta01","v1.6.30beta02","v1.6.30beta03","v1.6.30beta04","v1.6.30rc01","v1.6.31","v1.6.31beta01","v1.6.31beta02","v1.6.31beta03","v1.6.31beta04","v1.6.31beta05","v1.6.31beta06","v1.6.31beta07","v1.6.31rc01","v1.6.31rc02","v1.6.32","v1.6.32beta01","v1.6.32beta02","v1.6.32beta03","v1.6.32beta05","v1.6.32beta06","v1.6.32beta07","v1.6.32beta08","v1.6.32beta09","v1.6.32beta10","v1.6.32beta11","v1.6.32rc01","v1.6.32rc02","v1.6.33","v1.6.33beta01","v1.6.33beta02","v1.6.33beta03","v1.6.33rc01","v1.6.33rc02","v1.6.34","v1.6.35","v1.6.35beta01","v1.6.36","v1.6.37","v1.6.38","v1.6.39","v1.6.3beta01","v1.6.3beta02","v1.6.3beta03","v1.6.3beta04","v1.6.3beta05","v1.6.3beta06","v1.6.3beta07","v1.6.3beta08","v1.6.3beta09","v1.6.3beta10","v1.6.3rc01","v1.6.4","v1.6.40","v1.6.41","v1.6.42","v1.6.43","v1.6.44","v1.6.45","v1.6.46","v1.6.47","v1.6.48","v1.6.49","v1.6.4beta02","v1.6.4rc01","v1.6.5","v1.6.50","v1.6.51","v1.6.52","v1.6.53","v1.6.54","v1.6.55","v1.6.56","v1.6.6","v1.6.7","v1.6.7beta01","v1.6.7beta02","v1.6.7beta03","v1.6.7beta04","v1.6.7rc01","v1.6.7rc02","v1.6.8","v1.6.8beta01","v1.6.8beta02","v1.6.8rc02","v1.6.9","v1.6.9beta01","v1.6.9beta02","v1.6.9beta03","v1.6.9rc01","v1.6.9rc02"],"database_specific":{"vanir_signatures":[{"id":"CVE-2026-34757-70e143dc","signature_version":"v1","target":{"file":"png.h"},"signature_type":"Line","digest":{"line_hashes":["166375070723291529406421301066248769034","275647010778297936193963675511576832388","256826767335212246520616614652191899280","279336807821086835335477021495116274772","96828756811463072029096943431647202248","259487929796874909307747743720902989358","80963509367953910314498672599247783016","206865296629031300762097612744588164709"],"threshold":0.9},"deprecated":false,"source":"https://github.com/pnggroup/libpng/commit/95ab3fdca83ea294efd3b092e9a53c5a39886444"},{"id":"CVE-2026-34757-839340eb","signature_version":"v1","deprecated":false,"target":{"function":"png_get_copyright","file":"png.c"},"digest":{"function_hash":"146975181446520445131848842077920213238","length":481},"signature_type":"Function","source":"https://github.com/pnggroup/libpng/commit/95ab3fdca83ea294efd3b092e9a53c5a39886444"},{"id":"CVE-2026-34757-8431ceba","signature_version":"v1","target":{"file":"png.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["20690527425479463155769128219160714075","98088587498112191141397603378614727518","7935846545239316385426716078199945835","208287592676115611469933640333846570932","292357994389841934038319271468916188521","212065094251759268037508620228075803576"]},"deprecated":false,"source":"https://github.com/pnggroup/libpng/commit/95ab3fdca83ea294efd3b092e9a53c5a39886444"},{"id":"CVE-2026-34757-9add0492","signature_version":"v1","target":{"file":"pngtest.c"},"deprecated":false,"digest":{"line_hashes":["45845269420897776676035505686172938030","184304714950459183824047737621862811542","331419921458161231296540318430710672569","247469130764672595333806172281234416954"],"threshold":0.9},"signature_type":"Line","source":"https://github.com/pnggroup/libpng/commit/95ab3fdca83ea294efd3b092e9a53c5a39886444"}],"vanir_signatures_modified":"2026-04-13T12:19:30Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34757.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}