Researchers have found two serious security holes in libpng, which is the most widely used reference library for working with Portable Network Graphics (PNG) image files This article explores security holes libpng. . These serious bugs let attackers from afar cause process crashes, leak sensitive heap memory, and possibly run any code they want by getting apps to process specially made, standards-compliant PNG images.

To protect the software ecosystems that are affected, both vulnerabilities need to be fixed right away. The first vulnerability, CVE-2026-33416, has a high CVSS severity score of 8.1. It is caused by a use-after-free condition in the library's code for handling transparency and palettes. The second flaw is in the ARM/AArch64 Neon-optimized palette expansion routines, which allow reading and writing outside of bounds.

Organizations need to quickly upgrade to libpng version 1.6.56 or the 1.8.0 trunk release, which properly separates memory lifetimes and enforces strict loop boundaries. This problem only happens in ARM/aArch64 environments that have Neon optimizations turned on. It affects versions 1.4.36 to 1.5.55.

It also lets you read data that is out of bounds, which could leak sensitive heap contents through decoded pixel outputs.