Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

INFO

Published Date :

2026-02-10T17:04:38.501Z

Last Modified :

2026-02-11T15:31:58.665Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25646 vulnerability.

Vendors Products
Libpng
  • Libpng
Pnggroup
  • Libpng
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25646.

URL Resource
http://www.openwall.com/lists/oss-security/2026/02/09/7 cve-icon cve-icon
https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 cve-icon cve-icon cve-icon
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3 cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-25646 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-25646 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact