CVE-2026-34757: LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure

Overview

Severity

Medium (CVSS 5.1)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploit Status

Not Exploited

Patch Tuesday

2026-Apr

Released

2026-04-12

EPSS Score

0.01% (percentile: 1.7%)

Affected Products (2)

Other

• 21104-17084
• 21105-17086

Revision History

• 2026-04-12: Information published.