LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:7672 https://access.redhat.com/errata/RHSA-2026:7672
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7671 https://access.redhat.com/errata/RHSA-2026:7671
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:8052 https://access.redhat.com/errata/RHSA-2026:8052
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:8459 https://access.redhat.com/errata/RHSA-2026:8459
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:9345 https://access.redhat.com/errata/RHSA-2026:9345
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:9638 https://access.redhat.com/errata/RHSA-2026:9638
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2026:11805 https://access.redhat.com/errata/RHSA-2026:11805
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:11813 https://access.redhat.com/errata/RHSA-2026:11813
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:12264 https://access.redhat.com/errata/RHSA-2026:12264
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:13342 https://access.redhat.com/errata/RHSA-2026:13342
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:13412 https://access.redhat.com/errata/RHSA-2026:13412
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:13533 https://access.redhat.com/errata/RHSA-2026:13533
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:13596 https://access.redhat.com/errata/RHSA-2026:13596
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:13582 https://access.redhat.com/errata/RHSA-2026:13582
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:13583 https://access.redhat.com/errata/RHSA-2026:13583
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:13600 https://access.redhat.com/errata/RHSA-2026:13600
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:13665 https://access.redhat.com/errata/RHSA-2026:13665
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:13682 https://access.redhat.com/errata/RHSA-2026:13682
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:13683 https://access.redhat.com/errata/RHSA-2026:13683
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:13922 https://access.redhat.com/errata/RHSA-2026:13922
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2026:13977 https://access.redhat.com/errata/RHSA-2026:13977
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:14223 https://access.redhat.com/errata/RHSA-2026:14223
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:14303 https://access.redhat.com/errata/RHSA-2026:14303
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:15889 https://access.redhat.com/errata/RHSA-2026:15889