{"id":"MGASA-2026-0205","summary":"Updated libpng packages fix security vulnerabilities","details":"LIBPNG has a use-after-free in png_set_PLTE, png_set_tRNS and\npng_set_hIST leading to corrupted chunk data and potential heap\ninformation disclosure. (CVE-2026-34757)\nChunk smuggling in push-mode APNG parser via unconsumed chunk body.\n(CVE-2026-40930)\n","modified":"2026-06-13T01:45:04.643007299Z","published":"2026-06-13T01:38:46Z","upstream":["CVE-2026-40930"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0205.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=35542"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/2"},{"type":"WEB","url":"https://lists.debian.org/debian-security-announce/2026/msg00174.html"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/05/15/21"},{"type":"ADVISORY","url":"https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x"}],"affected":[{"package":{"name":"libpng","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/libpng?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.38-1.6.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0205.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}