This moderate-severity security update for libpng addresses CVE-2026-33636, an out-of-bounds read/write vulnerability in the Neon palette expansion that can lead to information disclosure and denial of service. The update is available for Red Hat Enterprise Linux 10 across all supported architectures (x86_64, s390x, ppc64le, aarch64). The fixed packages are version libpng-1.6.40-8.el10_1.3, and administrators should apply the update using the standard Red Hat patch management process.
Red Hat Product Errata RHSA-2026:14790 - Security Advisory Issued: 2026-05-07 Updated: 2026-05-07 RHSA-2026:14790 - Security Advisory Overview Updated Packages Synopsis Moderate: libpng security update Type/Severity Security Advisory: Moderate Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for libpng is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files. Security Fix(es): libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Fixes BZ - 2451819 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion CVEs CVE-2026-33636 References https://access.redhat.com/security/updates/classification/#moderate Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM libpng-1.6.40-8.el10_1.3.src.rpm SHA-256: 50298757753180ea3b58792e593dc7033223262dfd751b9a7e50e5488d81499a x86_64 libpng-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: 2a95cf05ef94c777c74b47b24506ff5e8b6d20f483627fa990384f43d3375419 libpng-debuginfo-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: b4747ff86ad4475c3e85030493ebfbd6eb099ae9a65cf0abbb4a82661940aa64 libpng-debuginfo-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: b4747ff86ad4475c3e85030493ebfbd6eb099ae9a65cf0abbb4a82661940aa64 libpng-debugsource-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: fbfb49988fab91e403d82bf948905175389355d03ee05d83b0ca624104d92f72 libpng-debugsource-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: fbfb49988fab91e403d82bf948905175389355d03ee05d83b0ca624104d92f72 libpng-devel-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: e0120de8f527566b3b75ae345ce24e82116b435fe633bdbb4b24e55528d4b81b libpng-devel-debuginfo-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: 98b3bedf4954156c474798a9c95050e25697ebbd10d40dcb44e98a58813f2db3 libpng-devel-debuginfo-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: 98b3bedf4954156c474798a9c95050e25697ebbd10d40dcb44e98a58813f2db3 libpng-tools-debuginfo-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: cc97458a241bdc4e36a385d08df4eb720f816e17d5661020fc2cc38ee9742715 libpng-tools-debuginfo-1.6.40-8.el10_1.3.x86_64.rpm SHA-256: cc97458a241bdc4e36a385d08df4eb720f816e17d5661020fc2cc38ee9742715 Red Hat Enterprise Linux for IBM z Systems 10 SRPM s390x libpng-1.6.40-8.el10_1.3.s390x.rpm SHA-256: bce6893a21368e77b31219b321b94fbc66758f392e534a03b275fdcb5ae06b80 libpng-debuginfo-1.6.40-8.el10_1.3.s390x.rpm SHA-256: 1c03aa9d97337ac09c9261cce52efd47c0686c36794c2631d4e11d9eedbb9c45 libpng-debugsource-1.6.40-8.el10_1.3.s390x.rpm SHA-256: 7e7b408ae3aaff9d3dcfe1c9a12d2f4c9f698c82a02a2f5542e69c4e163d5c19 libpng-devel-1.6.40-8.el10_1.3.s390x.rpm SHA-256: 8f26dda34774d57ff53d69cd00d31618c5f9f3351693e33078c337b3d00ad04f libpng-devel-debuginfo-1.6.40-8.el10_1.3.s390x.rpm SHA-256: 56310b90f1b42af65f2cfdb139eb30debe1aee746436d1eaf07c446cdb60da4b libpng-tools-debuginfo-1.6.40-8.el10_1.3.s390x.rpm SHA-256: 4122a7bb2b86a2403a76d45ec08ef0a084020eb00034bdba940ad7593303d870 Red Hat Enterprise Linux for Power, little endian 10 SRPM libpng-1.6.40-8.el10_1.3.src.rpm SHA-256: 50298757753180ea3b58792e593dc7033223262dfd751b9a7e50e5488d81499a ppc64le libpng-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: bb26e39f008e9b3db1ccbd7301debc862551038a4c806d56d0c28118970016f0 libpng-debuginfo-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 9c0669930ca84f42c4b6b486b7059f3625ee9d0509b106313adeb76894048e78 libpng-debuginfo-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 9c0669930ca84f42c4b6b486b7059f3625ee9d0509b106313adeb76894048e78 libpng-debugsource-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 079a1f60b2f362bc3385f04f575766b35463a606cdab72497883c2187453cc73 libpng-debugsource-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 079a1f60b2f362bc3385f04f575766b35463a606cdab72497883c2187453cc73 libpng-devel-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 9d204fe8349c364089ac41ab004c2d1dacafcd8401ec3611f6c3993f13f3c2c9 libpng-devel-debuginfo-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 22e2f75cfe41c9fcab86cd0802591d37dddf195b0b25462dd8cd0bfec67c4946 libpng-devel-debuginfo-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 22e2f75cfe41c9fcab86cd0802591d37dddf195b0b25462dd8cd0bfec67c4946 libpng-tools-debuginfo-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 1ca7ad4d2028294ba140cb8bd49446adbcebd29b3890d8780866d51cec92e844 libpng-tools-debuginfo-1.6.40-8.el10_1.3.ppc64le.rpm SHA-256: 1ca7ad4d2028294ba140cb8bd49446adbcebd29b3890d8780866d51cec92e844 Red Hat Enterprise Linux for ARM 64 10 SRPM libpng-1.6.40-8.el10_1.3.src.rpm SHA-256: 50298757753180ea3b58792e593dc7033223262dfd751b9a7e50e5488d81499a aarch64 libpng-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: 23e47c8f63111247b9fa6afb6d1d946ba579483c57dd793401456dfbe831785e libpng-debuginfo-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: bd7fc17bc482cc75d86ea1559e476b6b556fd0e5b9ec57ce38785c69bd39ead9 libpng-debuginfo-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: bd7fc17bc482cc75d86ea1559e476b6b556fd0e5b9ec57ce38785c69bd39ead9 libpng-debugsource-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: eb9bbb68b4950d772f4416b8d3f606ba95415ee21d1de7f83a5980c53acc9935 libpng-debugsource-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: eb9bbb68b4950d772f4416b8d3f606ba95415ee21d1de7f83a5980c53acc9935 libpng-devel-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: 425c25267fcd17f6791ed111abd6aec6f85b4232744a5f2333dd43d876079eb2 libpng-devel-debuginfo-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: 7a3bb7069a8db9fcb56e19d7199e3b443ac0bf73d0d895a6b1d96bc6212dbbf6 libpng-devel-debuginfo-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: 7a3bb7069a8db9fcb56e19d7199e3b443ac0bf73d0d895a6b1d96bc6212dbbf6 libpng-tools-debuginfo-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: 8a7425d682b00654fc6bb59fb64bc3f6ec7040d60e4c62b8326a9da2d0265198 libpng-tools-debuginfo-1.6.40-8.el10_1.3.aarch64.rpm SHA-256: 8a7425d682b00654fc6bb59fb64bc3f6ec7040d60e4c62b8326a9da2d0265198 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .