Alpine: multiple libpng packages: security update to 1.6.56-r0

high Tenable Cloud Security Plugin ID 439253

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable
Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE`
each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across
two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng
1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS`
sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets
`info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with
`PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr`
pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to
the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both
functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes
the issue. (CVE-2026-33416)

- LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable
Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write
exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows
to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels
remain. Because the implementation works backward from the end of the row, the final iteration
dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the
same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG
input if Neon is enabled. Version 1.6.56 fixes the issue. (CVE-2026-33636)

Solution

Update the libpng library and its related packages to version 1.6.56-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-33416

https://security.alpinelinux.org/vuln/CVE-2026-33636

Plugin Details

Severity: High

ID: 439253

Version: Revision 1.10

Type: Local

Published: 3/26/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.06

CVSS v3

Risk Factor: High

Base Score: 7.6

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-33636

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2026-33416, CVE-2026-33636