Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
Published: 2026-02-10
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Read
Action: Immediate Patch
AI Analysis

Impact

A flaw exists in libpng’s png_set_quantize function that triggers when the function is called with no histogram and the palette contains more than twice the maximum number of colors supported by the user’s display. Under these conditions a specific palette can make the routine enter an infinite loop that reads past the end of an internally heap‑allocated buffer. The vulnerability corresponds to memory corruption weaknesses CWE‑122, CWE‑125 and CWE‑126. The primary impact is an unbounded read of memory, which could allow an attacker to read sensitive data from the process after decoding a crafted PNG image, but it does not provide a direct code‑execution path. Additionally the infinite loop can lead to a denial‑of‑service condition for the host process.

Affected Systems

The issue affects all libpng releases prior to version 1.6.55. Any application that processes PNG files through libpng before this version is potentially vulnerable. The affected product is the libpng library available from the official project repository, and the vulnerability is documented for all builds below 1.6.55, including those distributed as part of Linux distributions or other software stacks that bundle libpng.

Risk and Exploitability

The CVSS score of 8.3 classifies this as a high‑severity risk, and while the EPSS score is less than 1% indicating a low current exploitation probability, the flaw is not listed in the CISA KEV catalog. Attackers would need to supply a crafted PNG file that satisfies the specific palette condition to an application that loads images using libpng, which could be a local attacker or a remote user if the application accepts untrusted image input from the network. Given the lack of a direct execution vector, the threat is primarily information disclosure and potential denial of service in a local context.

Generated by OpenCVE AI on April 17, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libpng to version 1.6.55 or later, which contains a patch that removes the infinite loop and fixes the out‑of‑bounds read.
  • If an immediate upgrade is not possible, disable the png_set_quantize functionality or replace it with an alternative library that performs quantization safely.
  • Audit all software that incorporates libpng to verify the installed version and apply any vendor‑provided patches before the vulnerable code is executed.

Generated by OpenCVE AI on April 17, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4481-1 libpng1.6 security update
Debian DSA Debian DSA DSA-6138-1 libpng1.6 security update
Ubuntu USN Ubuntu USN USN-8035-1 libpng vulnerabilities
History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Libpng
Libpng libpng
CPEs cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
Vendors & Products Libpng
Libpng libpng
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Important

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Pnggroup
Pnggroup libpng
Vendors & Products Pnggroup
Pnggroup libpng

Tue, 10 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
Title LIBPNG has a heap buffer overflow in png_set_quantize
Weaknesses CWE-122
CWE-126
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libpng Libpng
Pnggroup Libpng
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T15:31:58.665Z

Reserved: 2026-02-04T05:15:41.791Z

Link: CVE-2026-25646

cve-icon Vulnrichment

Updated: 2026-02-10T17:25:31.583Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:37.817

Modified: 2026-02-13T20:43:44.690

Link: CVE-2026-25646

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-10T17:04:38Z

Links: CVE-2026-25646 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses