libpng png_image_free function Use-After-Free Denial of Service Vulnerability
png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute.
A vulnerability in the png_image_free function of libpng could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to a use-after-free memory error that could occur in the png_image_free function, as defined in the png.c source code file of the affected software, when calling on png_safe_execute. An attacker could exploit this vulnerability by sending crafted data to the affected system that will trigger a call on png_safe_execute. A successful exploit could cause a use-after-free memory error, resulting in a DoS condition. Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available. PNG Development Group has confirmed the vulnerability, however, software updates are not available.