The 30-Year Glitch: RCE and ARM Exploits Uncovered in libpng Reference Library

Security researchers have disclosed two significant vulnerabilities in libpng, the official reference library for Portable Network Graphics (PNG). The flaws, which impact versions spanning decades of development, could allow attackers to trigger process crashes, leak sensitive information, or even achieve arbitrary code execution.

As a platform-independent C library, libpng is the backbone for image rendering in countless applications, from web browsers to embedded systems. These newly identified bugs highlight the persistent risks of memory management in legacy C codebases.

The first vulnerability, tracked as CVE-2026-33636, targets performance-enhancing code specifically for ARM/AArch64 architectures using Neon SIMD instructions.

An out-of-bounds (OOB) read and write exists in the palette expansion path. When the library expands 8-bit paletted rows into RGB or RGBA, the Neon loop processes the final chunk of pixels without verifying if enough input remains.

Because the implementation works backward from the end of a row, the final iteration dereferences pointers before the start of the buffer.

Attackers can easily crash processes by providing a crafted PNG. Since palettes are attacker-controlled, heap contents can be leaked through the decoded pixel output.

This only impacts systems with hardware optimizations enabled (specifically arm/palette_neon_intrinsics.c). Intel (SSE2), PowerPC, and generic C implementations are safe.

The second vulnerability, tracked as CVE-2026-33416, is a classic logic error involving pointer aliasing between two internal structures: png_struct and png_info. This bug has lived in the codebase since version 1.0 (for transparency data) and 1.2.1 (for palettes).

Functions like png_set_tRNS and png_set_PLTE share a single heap-allocated buffer across two different structures. If an application calls png_free_data, it frees the buffer through one structure while the other structure keeps a dangling pointer. Subsequent transforms then read from—and sometimes write to—this freed memory.

Researchers have demonstrated Remote Code Execution (RCE) in certain environments. On modern allocators like glibc tcache, the freed 256-byte buffer is often immediately reused for new objects. If an attacker controls the values written back into that memory (via the tRNS chunk), they can hijack the application’s control flow.

The crafted PNG files are 100% standards-compliant, meaning traditional validators or Web Application Firewalls (WAFs) cannot detect the attack without blocking all PNGs.

Users should upgrade to libpng v1.6.56 or v1.8.0 (trunk), which address both vulnerabilities.

f you cannot update immediately, the ARM Neon vulnerability can be mitigated by disabling hardware optimizations during compilation using the following flag: -DPNG_ARM_NEON_OPT=0.

For the Use-After-Free flaw, developers are advised to review application patterns that call png_free_data() between the png_read_info() and png_read_update_info() stages.