A moderate-severity vulnerability (CVE-2026-33636) in libpng involves an out-of-bounds read/write in the Neon palette expansion, which can lead to information disclosure and denial of service. The advisory applies to Red Hat Enterprise Linux 9, and the fix is provided in the updated package version libpng-1.6.37-12.el9_7.3. Administrators should apply this security update via the standard Red Hat update channels to remediate affected systems.
Red Hat Product Errata RHSA-2026:14791 - Security Advisory Issued: 2026-05-07 Updated: 2026-05-07 RHSA-2026:14791 - Security Advisory Overview Updated Packages Synopsis Moderate: libpng security update Type/Severity Security Advisory: Moderate Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for libpng is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files. Security Fix(es): libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Fixes BZ - 2451819 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion CVEs CVE-2026-33636 References https://access.redhat.com/security/updates/classification/#moderate Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM libpng-1.6.37-12.el9_7.3.src.rpm SHA-256: a9f6893aab05b27ee097ef9ea68843db3c0e621081b39083ff6b1a3988137cd5 x86_64 libpng-1.6.37-12.el9_7.3.i686.rpm SHA-256: 21319c2db59633ed7495a4f1d716e39680f0a74d6b408547e650208048be22f6 libpng-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: 46809ed973fe057afdba595cd6672116ae4c73cadcac6d885e5710b9d1c56550 libpng-debuginfo-1.6.37-12.el9_7.3.i686.rpm SHA-256: 63f5ce45b597869c32fd47a465b744857d2c8ffc86d6b09278e82870ea628ba5 libpng-debuginfo-1.6.37-12.el9_7.3.i686.rpm SHA-256: 63f5ce45b597869c32fd47a465b744857d2c8ffc86d6b09278e82870ea628ba5 libpng-debuginfo-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: f10dbc4f4d35785a8a61f8f156704a810fbf8cd12b94fc663e783eac795a632a libpng-debuginfo-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: f10dbc4f4d35785a8a61f8f156704a810fbf8cd12b94fc663e783eac795a632a libpng-debugsource-1.6.37-12.el9_7.3.i686.rpm SHA-256: 47d0670e9664898d4ac44de717d56446b55ea580e98281cff498a273a05b2369 libpng-debugsource-1.6.37-12.el9_7.3.i686.rpm SHA-256: 47d0670e9664898d4ac44de717d56446b55ea580e98281cff498a273a05b2369 libpng-debugsource-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: 968b7b2144ab527420e6e1864f3cf663d3d1e953688991bc94af52ca986d8b97 libpng-debugsource-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: 968b7b2144ab527420e6e1864f3cf663d3d1e953688991bc94af52ca986d8b97 libpng-devel-1.6.37-12.el9_7.3.i686.rpm SHA-256: ee5e0690382b93553d0992aca7a267f03453aeb75657546183e90b4d6d996a88 libpng-devel-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: 20d8ccbff96b06278cbefb4ce53d02a1803743d2c8da4758a0c039a42a5bd00f libpng-devel-debuginfo-1.6.37-12.el9_7.3.i686.rpm SHA-256: a68d0227bc7180ebe3457bdfc82eee14725ce1199b91e7825ac0e4053e23152a libpng-devel-debuginfo-1.6.37-12.el9_7.3.i686.rpm SHA-256: a68d0227bc7180ebe3457bdfc82eee14725ce1199b91e7825ac0e4053e23152a libpng-devel-debuginfo-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: 2ebedaa95f777d7eac0e13e4540965a424069e52db55cca73e000582255d2176 libpng-devel-debuginfo-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: 2ebedaa95f777d7eac0e13e4540965a424069e52db55cca73e000582255d2176 libpng-tools-debuginfo-1.6.37-12.el9_7.3.i686.rpm SHA-256: 6d937b0862964f35bdeb109a3b0ae40ef63b5b0021ad71693cf3e139460b84e1 libpng-tools-debuginfo-1.6.37-12.el9_7.3.i686.rpm SHA-256: 6d937b0862964f35bdeb109a3b0ae40ef63b5b0021ad71693cf3e139460b84e1 libpng-tools-debuginfo-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: 5fede617894c611513b3e9490f02d49e2fe94e6dc9aeb6dd726ea818258d38af libpng-tools-debuginfo-1.6.37-12.el9_7.3.x86_64.rpm SHA-256: 5fede617894c611513b3e9490f02d49e2fe94e6dc9aeb6dd726ea818258d38af Red Hat Enterprise Linux for IBM z Systems 9 SRPM s390x libpng-1.6.37-12.el9_7.3.s390x.rpm SHA-256: 7bac5bf3460d8c3d3c0a2039d2f78762daf375f83c1525aa612c3aadcf5e7226 libpng-debuginfo-1.6.37-12.el9_7.3.s390x.rpm SHA-256: 4d4ed10e09df8a1a9a4cc433748bdb512ff6e2333f75a915d7fd731437e61f4a libpng-debugsource-1.6.37-12.el9_7.3.s390x.rpm SHA-256: 29a701be8773a19d5c606bfa86478aa73051db3907b5acf8d0e5dbf40807392b libpng-devel-1.6.37-12.el9_7.3.s390x.rpm SHA-256: 6f760c04611858feb6708bdcc0fa0989d4e4fa18ea3baf844d31d8666736025d libpng-devel-debuginfo-1.6.37-12.el9_7.3.s390x.rpm SHA-256: b51c7bd89b4693611c95d98f8cd870e5f701d993f924fa71518bda23d2c7c4a4 libpng-tools-debuginfo-1.6.37-12.el9_7.3.s390x.rpm SHA-256: b6e106988f2edfcb990feca0469d80b495cd23fb55d24bc28e4b44f86f237594 Red Hat Enterprise Linux for Power, little endian 9 SRPM libpng-1.6.37-12.el9_7.3.src.rpm SHA-256: a9f6893aab05b27ee097ef9ea68843db3c0e621081b39083ff6b1a3988137cd5 ppc64le libpng-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: d50dd5684e307d936c9818d1bca0badab2c4d5b0b29ecf5b4caa05c48c4502c3 libpng-debuginfo-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: 589a3c73ea70b1d7bba673c4be8b11dfed8d569cd31262256ad3cec1ddaf286e libpng-debuginfo-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: 589a3c73ea70b1d7bba673c4be8b11dfed8d569cd31262256ad3cec1ddaf286e libpng-debugsource-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: 341adf8e04aa4f4aaa7aff2762ca15cd21dbcc580803adaad80d558f5958c128 libpng-debugsource-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: 341adf8e04aa4f4aaa7aff2762ca15cd21dbcc580803adaad80d558f5958c128 libpng-devel-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: bb8cb0299d59a2468092804a2bb7cb8cdb2ca9716198f3e2156e3aad44b6f774 libpng-devel-debuginfo-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: 6f951fa18cc578e7f876d0027c80f1327c1365ad2b8693e5ab6502b9c5145774 libpng-devel-debuginfo-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: 6f951fa18cc578e7f876d0027c80f1327c1365ad2b8693e5ab6502b9c5145774 libpng-tools-debuginfo-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: b2adf377282ebcc493a6234193371832762ba07e567f57a573d933f76e6beb4e libpng-tools-debuginfo-1.6.37-12.el9_7.3.ppc64le.rpm SHA-256: b2adf377282ebcc493a6234193371832762ba07e567f57a573d933f76e6beb4e Red Hat Enterprise Linux for ARM 64 9 SRPM libpng-1.6.37-12.el9_7.3.src.rpm SHA-256: a9f6893aab05b27ee097ef9ea68843db3c0e621081b39083ff6b1a3988137cd5 aarch64 libpng-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: 7fc2812cbdf49957466da0bd80e3825a8937bdf0b85aee94651149b56a33bb23 libpng-debuginfo-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: 4e926d9c291ed803202195e16b2d4b7e11d4e8a34b2de1ecaa99ddea9f92f8a5 libpng-debuginfo-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: 4e926d9c291ed803202195e16b2d4b7e11d4e8a34b2de1ecaa99ddea9f92f8a5 libpng-debugsource-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: aa8dba7cb2b1e730d150e42a7122665fc06bb504d441e070a0a40f4b3e24eb5a libpng-debugsource-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: aa8dba7cb2b1e730d150e42a7122665fc06bb504d441e070a0a40f4b3e24eb5a libpng-devel-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: 28f23a5474ae7edcc154230f6690233eb62dc90b01c5e1cc13e3b05ac774bb19 libpng-devel-debuginfo-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: 5aff0cddaf82364d00f7997abc4baff45f2ad5a43436583ae28b5d9d38ac183c libpng-devel-debuginfo-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: 5aff0cddaf82364d00f7997abc4baff45f2ad5a43436583ae28b5d9d38ac183c libpng-tools-debuginfo-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: 9d7eed42a32d11922d7b02a0966d7820727b25c6719414969f795adfb5e407f9 libpng-tools-debuginfo-1.6.37-12.el9_7.3.aarch64.rpm SHA-256: 9d7eed42a32d11922d7b02a0966d7820727b25c6719414969f795adfb5e407f9 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .