Researchers have found two serious security holes in libpng, which is the most popular library for working with PNG images This article explores png images flaws. . These flaws let attackers crash processes, steal private information, and maybe even run any code they want.

The flaws affect any software that parses images that aren't formatted correctly, which makes them big threats to web apps, embedded systems, and image processing pipelines on the server side. It is very important for administrators and developers to update their libpng packages to versions 1.6.56 or 1.8.0 right away. The security updates make sure that the pointers that are affected are allocated separately to fix the Use-After-Free problem. They also fix the loop boundaries in ARM Neon hardware optimizations so that memory can't be accessed outside of the loop.

If upgrading the library isn't possible right away, organizations can temporarily fix CVE-2026-33636 by recompiling libpng with all hardware optimizations turned off. But administrators should know that this workaround could slow down the processing of images. The bad PNG follows all the rules, so normal web application firewalls can't find it unless they block all images.

The second flaw only affects ARM and AArch64 hardware architectures. This bug is in the Neon-optimized palette expansion code that was added in lib PNG version 1.5.36. Even though this bug hasn't been shown to allow arbitrary code execution, it is easy to cause reliable process crashes, which makes it a serious availability risk.