35279 – libpng new security issues CVE-2026-33416, CVE-2026-33636

Bug 35279 - libpng new security issues CVE-2026-33416, CVE-2026-33636

Summary: libpng new security issues CVE-2026-33416, CVE-2026-33636

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-03-26 09:40 CET by Nicolas Salguero
Modified:	2026-03-28 08:27 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	libpng-1.6.38-1.4.mga9.src.rpm
CVE:	CVE-2026-33416, CVE-2026-33636
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-26 09:40:55 CET

Reference: https://www.openwall.com/lists/oss-security/2026/03/26/1

Nicolas Salguero 2026-03-26 09:41:59 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => libpng-1.6.53-3.mga10.src.rpm, libpng-1.6.38-1.4.mga9.src.rpm
Flags: (none) => affects_mga9+
Status comment: (none) => Fixed upstream in 1.6.56
CVE: (none) => CVE-2026-33416, CVE-2026-33636

Comment 1 Nicolas Salguero 2026-03-26 11:32:40 CET

For Cauldron, libpng-1.6.53-4.mga10 fixes those issues.

Whiteboard: MGA9TOO => (none)
Source RPM: libpng-1.6.53-3.mga10.src.rpm, libpng-1.6.38-1.4.mga9.src.rpm => libpng-1.6.38-1.4.mga9.src.rpm
Version: Cauldron => 9
Flags: affects_mga9+ => (none)

Nicolas Salguero 2026-03-26 11:33:01 CET

Status comment: Fixed upstream in 1.6.56 => Fixed upstream in 1.6.56 and patches available from upstream

Comment 2 Nicolas Salguero 2026-03-26 15:32:44 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE. (CVE-2026-33416)

Out-of-bounds read/write in the palette expansion on ARM Neon. (CVE-2026-33636)

References:
https://www.openwall.com/lists/oss-security/2026/03/26/1
========================

Updated packages in core/updates_testing:
========================
lib(64)png16_16-1.6.38-1.5.mga9
lib(64)png-devel-1.6.38-1.5.mga9

from SRPM:
libpng-1.6.38-1.5.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.6.56 and patches available from upstream => (none)

Comment 3 Herman Viaene 2026-03-27 11:20:11 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 35115
Opened png file with inkscape and gimp, did some editing and exported result to png.
Resulting files open correctly in gwenview.
Looks OK.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2026-03-27 22:09:33 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

katnatek 2026-03-28 04:21:51 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2026-03-28 08:27:06 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0070.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.