SB2026052545 - SUSE update for libpng16

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052545

SB2026052545 - SUSE update for libpng16

Published: May 25, 2026

Security Bulletin ID SB2026052545
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Use-after-free (CVE-ID: CVE-2026-34757)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose heap information and corrupt chunk data.

The vulnerability exists due to use-after-free in png_set_PLTE, png_set_tRNS, and png_set_hIST when passing a pointer returned by the corresponding getter back into the setter on the same png_struct/png_info pair. A remote attacker can pass an aliased pointer to cause the library to read freed memory and copy stale or unrelated heap contents into replacement storage to disclose heap information and corrupt chunk data.

The issue cannot be triggered by a crafted PNG file alone; exploitation requires the application to call the getter and setter in sequence on the same struct pair, and any image containing the relevant chunk is sufficient to set up the internal pointer.


Remediation

Install update from vendor's website.

References