VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-dm7h-c7wt-1kbs

Essentials
Severities (28)
References (25)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-dm7h-c7wt-1kbs
Aliases	CVE-2026-33416
Summary	libpng: libpng: Arbitrary code execution due to use-after-free vulnerability
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-825	Expired Pointer Dereference
CWE-416	Use After Free

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json
epss	0.00037	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00037	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00037	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2026-33416
cvssv3.1	8.1	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	7.5	https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
ssvc	Track	https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
cvssv3.1	7.5	https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
ssvc	Track	https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
cvssv3.1	7.5	https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
ssvc	Track	https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
cvssv3.1	7.5	https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
ssvc	Track	https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
cvssv3.1	7.5	https://github.com/pnggroup/libpng/pull/824
ssvc	Track	https://github.com/pnggroup/libpng/pull/824
cvssv3.1	7.5	https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
ssvc	Track	https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-33416
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33416
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1132012		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132012
23019269764e35ed8458e517f1897bd3c54820eb		https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
2451805		https://bugzilla.redhat.com/show_bug.cgi?id=2451805
7ea9eea884a2328cc7fdcb3c0c00246a50d90667		https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
824		https://github.com/pnggroup/libpng/pull/824
a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25		https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
c1b0318b393c90679e6fa5bc1d329fd5d5012ec1		https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
GHSA-m4pc-p4q3-4c7j		https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
RHSA-2026:11805		https://access.redhat.com/errata/RHSA-2026:11805
RHSA-2026:11813		https://access.redhat.com/errata/RHSA-2026:11813
RHSA-2026:12264		https://access.redhat.com/errata/RHSA-2026:12264
RHSA-2026:6732		https://access.redhat.com/errata/RHSA-2026:6732
RHSA-2026:7671		https://access.redhat.com/errata/RHSA-2026:7671
RHSA-2026:7672		https://access.redhat.com/errata/RHSA-2026:7672
RHSA-2026:8052		https://access.redhat.com/errata/RHSA-2026:8052
RHSA-2026:8459		https://access.redhat.com/errata/RHSA-2026:8459
RHSA-2026:9254		https://access.redhat.com/errata/RHSA-2026:9254
RHSA-2026:9255		https://access.redhat.com/errata/RHSA-2026:9255
RHSA-2026:9345		https://access.redhat.com/errata/RHSA-2026:9345
RHSA-2026:9638		https://access.redhat.com/errata/RHSA-2026:9638
RHSA-2026:9693		https://access.redhat.com/errata/RHSA-2026:9693

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/pull/824

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/pull/824

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j

Exploit Prediction Scoring System (EPSS)

Percentile	0.11022
EPSS Score	0.00037
Published At	April 21, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:30:14.691357+00:00	RedHat Importer	Import	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json	38.0.0