Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2026:8052
Vulnerability from osv_almalinux
Published
2026-04-14 00:00
Modified
2026-04-15 13:12
Summary
Important: firefox security update
Details
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.
Security Fix(es):
- libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
- libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
- thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)
- thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)
- firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "firefox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "140.9.1-1.el8_10.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. \n\nSecurity Fix(es): \n\n * libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)\n * libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)\n * thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)\n * thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)\n * firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:8052",
"modified": "2026-04-15T13:12:54Z",
"published": "2026-04-14T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:8052"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-33416"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-33636"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-5731"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-5732"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-5734"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2451805"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2451819"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2455897"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2455901"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2455908"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2026-8052.html"
}
],
"related": [
"CVE-2026-33416",
"CVE-2026-33636",
"CVE-2026-5734",
"CVE-2026-5731",
"CVE-2026-5732"
],
"summary": "Important: firefox security update"
}
CVE-2026-5731 (GCVE-0-2026-5731)
Vulnerability from cvelistv5 – Published: 2026-04-07 12:43 – Updated: 2026-04-13 13:51
VLAI?
EPSS
Title
Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2
Summary
Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
Severity ?
9.8 (Critical)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
115.34.1 , ≤ 115.*
(rpm)
Unaffected: 140.9.1 , ≤ 140.* (rpm) Unaffected: 149.0.2 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T03:55:32.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "115.*",
"status": "unaffected",
"version": "115.34.1",
"versionType": "rpm"
},
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.9.1",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "149.0.2",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.9.1",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "149.0.2",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
}
],
"value": "Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:51:32.565Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"name": "Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021894%2C2022225%2C2022252%2C2022294%2C2023007%2C2023130%2C2023191%2C2023364%2C2023829%2C2024074%2C2024417%2C2024433%2C2024436%2C2024437%2C2024453%2C2024461%2C2024462%2C2024472%2C2024474%2C2024477%2C2025364%2C2025401%2C2025402%2C2025472%2C2026287%2C2026299%2C2026305%2C2026426"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-26/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-27/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-29/"
}
],
"title": "Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2026-5731",
"datePublished": "2026-04-07T12:43:11.895Z",
"dateReserved": "2026-04-07T12:43:11.413Z",
"dateUpdated": "2026-04-13T13:51:32.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33636 (GCVE-0-2026-33636)
Vulnerability from cvelistv5 – Published: 2026-03-26 16:51 – Updated: 2026-03-26 18:45
VLAI?
EPSS
Title
LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64
Summary
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.
Severity ?
7.6 (High)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T18:45:14.491475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T18:45:26.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libpng",
"vendor": "pnggroup",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.6.36, \u003c 1.6.56"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng\u0027s ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T16:51:58.289Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2"
},
{
"name": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869"
},
{
"name": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3"
}
],
"source": {
"advisory": "GHSA-wjr5-c57x-95m2",
"discovery": "UNKNOWN"
},
"title": "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33636",
"datePublished": "2026-03-26T16:51:58.289Z",
"dateReserved": "2026-03-23T14:24:11.619Z",
"dateUpdated": "2026-03-26T18:45:26.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5734 (GCVE-0-2026-5734)
Vulnerability from cvelistv5 – Published: 2026-04-07 12:43 – Updated: 2026-04-13 13:51
VLAI?
EPSS
Title
Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2
Summary
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
Severity ?
8.1 (High)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
140.9.1 , ≤ 140.*
(rpm)
Unaffected: 149.0.2 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5734",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T03:55:30.963374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:20:27.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.9.1",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "149.0.2",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.9.1",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "149.0.2",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
}
],
"value": "Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:51:34.677Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"name": "Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022369%2C2023026%2C2023545%2C2023555%2C2023958%2C2025422%2C2025468%2C2025492%2C2025505"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-27/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-29/"
}
],
"title": "Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2026-5734",
"datePublished": "2026-04-07T12:43:14.833Z",
"dateReserved": "2026-04-07T12:43:14.328Z",
"dateUpdated": "2026-04-13T13:51:34.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5732 (GCVE-0-2026-5732)
Vulnerability from cvelistv5 – Published: 2026-04-07 12:43 – Updated: 2026-04-13 13:51
VLAI?
EPSS
Title
Incorrect boundary conditions, integer overflow in the Graphics: Text component
Summary
Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
Severity ?
8.8 (High)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
140.9.1 , ≤ 140.*
(rpm)
Unaffected: 149.0.2 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Sajeeb Lohani
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T14:28:39.207668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:29:05.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.9.1",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "149.0.2",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.9.1",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "149.0.2",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sajeeb Lohani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
}
],
"value": "Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:51:28.140Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2017867"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-27/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2026-29/"
}
],
"title": "Incorrect boundary conditions, integer overflow in the Graphics: Text component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2026-5732",
"datePublished": "2026-04-07T12:43:12.829Z",
"dateReserved": "2026-04-07T12:43:12.349Z",
"dateUpdated": "2026-04-13T13:51:28.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33416 (GCVE-0-2026-33416)
Vulnerability from cvelistv5 – Published: 2026-03-26 16:48 – Updated: 2026-04-01 03:55
VLAI?
EPSS
Title
LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`
Summary
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
Severity ?
7.5 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T03:55:17.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libpng",
"vendor": "pnggroup",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.1, \u003c 1.6.56"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr-\u003etrans_alpha = info_ptr-\u003etrans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr-\u003epalette = png_ptr-\u003epalette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T16:48:54.174Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"
},
{
"name": "https://github.com/pnggroup/libpng/pull/824",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/pull/824"
},
{
"name": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"
},
{
"name": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"
},
{
"name": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"
},
{
"name": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"
}
],
"source": {
"advisory": "GHSA-m4pc-p4q3-4c7j",
"discovery": "UNKNOWN"
},
"title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33416",
"datePublished": "2026-03-26T16:48:54.174Z",
"dateReserved": "2026-03-19T17:02:34.172Z",
"dateUpdated": "2026-04-01T03:55:17.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…