Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ztv5-xba4-c3cc
Vulnerability ID VCID-ztv5-xba4-c3cc
Aliases CVE-2026-33416
Summary libpng: libpng: Arbitrary code execution due to use-after-free vulnerability
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-825 Expired Pointer Dereference
CWE-416 Use After Free
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2026-33416
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.5 https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
ssvc Track https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
cvssv3.1 7.5 https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
ssvc Track https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
cvssv3.1 7.5 https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
ssvc Track https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
cvssv3.1 7.5 https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
ssvc Track https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
cvssv3.1 7.5 https://github.com/pnggroup/libpng/pull/824
ssvc Track https://github.com/pnggroup/libpng/pull/824
cvssv3.1 7.5 https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
ssvc Track https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json
https://api.first.org/data/v1/epss?cve=CVE-2026-33416
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33416
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1132012 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132012
23019269764e35ed8458e517f1897bd3c54820eb https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
2451805 https://bugzilla.redhat.com/show_bug.cgi?id=2451805
7ea9eea884a2328cc7fdcb3c0c00246a50d90667 https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
824 https://github.com/pnggroup/libpng/pull/824
a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
GHSA-m4pc-p4q3-4c7j https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
RHSA-2026:11805 https://access.redhat.com/errata/RHSA-2026:11805
RHSA-2026:11813 https://access.redhat.com/errata/RHSA-2026:11813
RHSA-2026:12264 https://access.redhat.com/errata/RHSA-2026:12264
RHSA-2026:13342 https://access.redhat.com/errata/RHSA-2026:13342
RHSA-2026:13412 https://access.redhat.com/errata/RHSA-2026:13412
RHSA-2026:13533 https://access.redhat.com/errata/RHSA-2026:13533
RHSA-2026:13582 https://access.redhat.com/errata/RHSA-2026:13582
RHSA-2026:13583 https://access.redhat.com/errata/RHSA-2026:13583
RHSA-2026:13596 https://access.redhat.com/errata/RHSA-2026:13596
RHSA-2026:13600 https://access.redhat.com/errata/RHSA-2026:13600
RHSA-2026:13665 https://access.redhat.com/errata/RHSA-2026:13665
RHSA-2026:13682 https://access.redhat.com/errata/RHSA-2026:13682
RHSA-2026:13683 https://access.redhat.com/errata/RHSA-2026:13683
RHSA-2026:13922 https://access.redhat.com/errata/RHSA-2026:13922
RHSA-2026:13977 https://access.redhat.com/errata/RHSA-2026:13977
RHSA-2026:14223 https://access.redhat.com/errata/RHSA-2026:14223
RHSA-2026:14303 https://access.redhat.com/errata/RHSA-2026:14303
RHSA-2026:15889 https://access.redhat.com/errata/RHSA-2026:15889
RHSA-2026:18028 https://access.redhat.com/errata/RHSA-2026:18028
RHSA-2026:18064 https://access.redhat.com/errata/RHSA-2026:18064
RHSA-2026:20548 https://access.redhat.com/errata/RHSA-2026:20548
RHSA-2026:20549 https://access.redhat.com/errata/RHSA-2026:20549
RHSA-2026:20550 https://access.redhat.com/errata/RHSA-2026:20550
RHSA-2026:20551 https://access.redhat.com/errata/RHSA-2026:20551
RHSA-2026:6732 https://access.redhat.com/errata/RHSA-2026:6732
RHSA-2026:7671 https://access.redhat.com/errata/RHSA-2026:7671
RHSA-2026:7672 https://access.redhat.com/errata/RHSA-2026:7672
RHSA-2026:8052 https://access.redhat.com/errata/RHSA-2026:8052
RHSA-2026:8459 https://access.redhat.com/errata/RHSA-2026:8459
RHSA-2026:9254 https://access.redhat.com/errata/RHSA-2026:9254
RHSA-2026:9255 https://access.redhat.com/errata/RHSA-2026:9255
RHSA-2026:9345 https://access.redhat.com/errata/RHSA-2026:9345
RHSA-2026:9638 https://access.redhat.com/errata/RHSA-2026:9638
RHSA-2026:9693 https://access.redhat.com/errata/RHSA-2026:9693
USN-8251-1 https://usn.ubuntu.com/8251-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/pull/824
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/pull/824
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:49:05Z/ Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
Exploit Prediction Scoring System (EPSS)
Percentile 0.06776
EPSS Score 0.00023
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:41:45.448223+00:00 RedHat Importer Import https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json 38.6.0