{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu20.04els/vex/2026/cve-2026-34757-els_os-ubuntu20_04els.json" } ], "tracking": { "current_release_date": "2026-05-15T00:36:21Z", "generator": { "date": "2026-05-15T00:36:21Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2026-34757-ELS_OS-UBUNTU20.04ELS", "initial_release_date": "2026-04-09T15:16:00Z", "revision_history": [ { "date": "2026-04-09T15:16:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-05-14T12:35:30Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-05-15T00:36:21Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2026-34757" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 20.04", "product": { "name": "Ubuntu 20.04", "product_id": "Ubuntu-20", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "libpng16-16-0:1.6.37-2.amd64", "product": { "name": "libpng16-16-0:1.6.37-2.amd64", "product_id": "libpng16-16-0:1.6.37-2.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/libpng16-16@1.6.37-2?arch=amd64" } } }, { "category": "product_version", "name": "libpng-dev-0:1.6.37-2.amd64", "product": { "name": "libpng-dev-0:1.6.37-2.amd64", "product_id": "libpng-dev-0:1.6.37-2.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/libpng-dev@1.6.37-2?arch=amd64" } } }, { "category": "product_version", "name": "libpng-tools-0:1.6.37-2.amd64", "product": { "name": "libpng-tools-0:1.6.37-2.amd64", "product_id": "libpng-tools-0:1.6.37-2.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/libpng-tools@1.6.37-2?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libpng16-16-0:1.6.37-2+tuxcare.els2.amd64", "product": { "name": "libpng16-16-0:1.6.37-2+tuxcare.els2.amd64", "product_id": "libpng16-16-0:1.6.37-2+tuxcare.els2.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/libpng16-16@1.6.37-2%2Btuxcare.els2?arch=amd64" } } }, { "category": "product_version", "name": "libpng-dev-0:1.6.37-2+tuxcare.els2.amd64", "product": { "name": "libpng-dev-0:1.6.37-2+tuxcare.els2.amd64", "product_id": "libpng-dev-0:1.6.37-2+tuxcare.els2.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/libpng-dev@1.6.37-2%2Btuxcare.els2?arch=amd64" } } }, { "category": "product_version", "name": "libpng-tools-0:1.6.37-2+tuxcare.els2.amd64", "product": { "name": "libpng-tools-0:1.6.37-2+tuxcare.els2.amd64", "product_id": "libpng-tools-0:1.6.37-2+tuxcare.els2.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/libpng-tools@1.6.37-2%2Btuxcare.els2?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libpng16-16-0:1.6.37-2+tuxcare.els2.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:libpng16-16-0:1.6.37-2+tuxcare.els2.amd64" }, "product_reference": "libpng16-16-0:1.6.37-2+tuxcare.els2.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "libpng-dev-0:1.6.37-2+tuxcare.els2.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:libpng-dev-0:1.6.37-2+tuxcare.els2.amd64" }, "product_reference": "libpng-dev-0:1.6.37-2+tuxcare.els2.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "libpng-tools-0:1.6.37-2+tuxcare.els2.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:libpng-tools-0:1.6.37-2+tuxcare.els2.amd64" }, "product_reference": "libpng-tools-0:1.6.37-2+tuxcare.els2.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "libpng16-16-0:1.6.37-2.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:libpng16-16-0:1.6.37-2.amd64" }, "product_reference": "libpng16-16-0:1.6.37-2.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "libpng-dev-0:1.6.37-2.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:libpng-dev-0:1.6.37-2.amd64" }, "product_reference": "libpng-dev-0:1.6.37-2.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "libpng-tools-0:1.6.37-2.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:libpng-tools-0:1.6.37-2.amd64" }, "product_reference": "libpng-tools-0:1.6.37-2.amd64", "relates_to_product_reference": "Ubuntu-20" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34757", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-20:libpng-dev-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng-dev-0:1.6.37-2.amd64", "Ubuntu-20:libpng-tools-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng-tools-0:1.6.37-2.amd64", "Ubuntu-20:libpng16-16-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng16-16-0:1.6.37-2.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-34757" }, { "category": "external", "summary": "https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a", "url": "https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a" }, { "category": "external", "summary": "https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc", "url": "https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc" }, { "category": "external", "summary": "https://github.com/pnggroup/libpng/issues/836", "url": "https://github.com/pnggroup/libpng/issues/836" }, { "category": "external", "summary": "https://github.com/pnggroup/libpng/issues/837", "url": "https://github.com/pnggroup/libpng/issues/837" }, { "category": "external", "summary": "https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645", "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2026/05/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00017.html" } ], "release_date": "2026-04-09T15:16:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-05-14T20:47:00.751440Z", "details": "This issue only triggers when an application misuses libpng by taking a pointer from png_get_PLTE/tRNS/hIST and passing it back to the corresponding png_set_* on the same png_struct/png_info; read‑only PNG decoding paths do not call these setters. The impact is confined to in‑process chunk‑metadata corruption and limited heap‑data disclosure (no availability impact and no clear route to remote code execution), and it requires local code to reach those APIs. In centrally managed Linux server/VM deployments where libpng is used primarily for decoding or thumbnailing, these setters are not invoked on untrusted data, making practical exploitability low and this CVE suitable for deprioritization.", "product_ids": [ "Ubuntu-20:libpng-dev-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng-dev-0:1.6.37-2.amd64", "Ubuntu-20:libpng-tools-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng-tools-0:1.6.37-2.amd64", "Ubuntu-20:libpng16-16-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng16-16-0:1.6.37-2.amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Ubuntu-20:libpng-dev-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng-dev-0:1.6.37-2.amd64", "Ubuntu-20:libpng-tools-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng-tools-0:1.6.37-2.amd64", "Ubuntu-20:libpng16-16-0:1.6.37-2+tuxcare.els2.amd64", "Ubuntu-20:libpng16-16-0:1.6.37-2.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }