PatchSiren cyber security CVE debrief

CVE-2026-34757 Lists CVE debrief

CVE-2026-34757 describes a memory-safety flaw in libpng’s metadata handling APIs. If code passes a pointer returned by png_get_PLTE, png_get_tRNS, or png_get_hIST back into the matching setter on the same png_struct/png_info pair, the setter can free the internal buffer first and then read from the now-dangling pointer. That can silently corrupt chunk metadata or copy stale heap data into the replacement buffer. The issue is fixed in libpng 1.6.57.

Vendor: Lists
Product: Unknown
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-09
Original CVE updated: 2026-05-09
Advisory published: 2026-04-09
Advisory updated: 2026-05-09

Who should care

Developers and maintainers of applications that use libpng to read or write PNG metadata, especially code that reuses getter-returned pointers with setter APIs on the same image state. Packagers and downstream vendors shipping libpng before 1.6.57 should also review their update status.

Technical summary

The vulnerable pattern is a getter-to-setter round trip on the same png_struct/png_info pair. According to the advisory text, the setter frees the internal chunk buffer before copying from the caller-supplied pointer, which may now dangle. The result is a read from freed memory during the copy path. Impact is limited to confidentiality and integrity in the supplied CVSS vector (C:L/I:L/A:N), consistent with stale data leakage and metadata corruption rather than denial of service.

Defensive priority

Medium. Prioritize remediation if your software writes or updates PLTE, tRNS, or hIST metadata with libpng, or if untrusted PNG files are processed in a workflow that later serializes metadata back out.

Recommended defensive actions

Upgrade libpng to 1.6.57 or later.
Audit code for any pattern that passes pointers returned by png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair.
Backport the upstream fix if you ship a pinned or vendor-modified libpng version.
Add regression tests for metadata read-modify-write paths that exercise PLTE, tRNS, and hIST handling.
If immediate upgrade is not possible, avoid reusing getter-returned pointers as setter inputs and copy data into application-owned buffers first.

Evidence notes

Source corpus identifies the vulnerable range as libpng 1.0.9 through before 1.6.57 and states the issue is fixed in 1.6.57. The NVD source item lists CVSS v3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N and CWE-416. References include upstream GitHub commits, upstream issues, a GitHub Security Advisory, and a Debian LTS announcement. CVE publishedAt is 2026-04-09T15:16:11.003Z and modifiedAt is 2026-05-09T11:16:26.960Z; those dates are used here for timing context only.

Official resources

CVE-2026-34757 CVE record
CVE.org
CVE-2026-34757 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

CVE-2026-34757 was published on 2026-04-09 and last modified on 2026-05-09. The supplied NVD source item shows the record was still marked 'Awaiting Analysis' at the time of that modification. Use the CVE publication date, not generation or