CVE-2026-25646

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88	Patch
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3	Exploit Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/09/7	Mailing List
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-10 18:16

Updated : 2026-02-13 20:43

NVD link : CVE-2026-25646

Mitre link : CVE-2026-25646

CVE.ORG link : CVE-2026-25646

JSON object : View

Products Affected

libpng

libpng

CWE

CWE-122

Heap-based Buffer Overflow

CWE-126

Buffer Over-read

{"id": "CVE-2026-25646", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-10T18:16:37.817", "references": [{"url": "https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "http://www.openwall.com/lists/oss-security/2026/02/09/7", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-126"}]}], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55."}, {"lang": "es", "value": "LIBPNG es una biblioteca de referencia para uso en aplicaciones que leen, crean y manipulan archivos de imagen r\u00e1ster PNG (Portable Network Graphics). Antes de 1.6.55, existe una vulnerabilidad de lectura fuera de l\u00edmites en la funci\u00f3n API png_set_quantize(). Cuando se llama a la funci\u00f3n sin histograma y el n\u00famero de colores en la paleta es m\u00e1s del doble del m\u00e1ximo soportado por la pantalla del usuario, ciertas paletas har\u00e1n que la funci\u00f3n entre en un bucle infinito que lee m\u00e1s all\u00e1 del final de un b\u00fafer interno asignado en el *heap*. Las im\u00e1genes que activan esta vulnerabilidad son v\u00e1lidas seg\u00fan la especificaci\u00f3n PNG. Esta vulnerabilidad est\u00e1 corregida en 1.6.55."}], "lastModified": "2026-02-13T20:43:44.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "306EDE73-99CF-4AE7-9B92-C63F68FD63AB", "versionEndExcluding": "1.6.55"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}