CVE-2026-25646
CVE-2026-25646 is a high-severity vulnerability in Libpng with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-122.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v4: 8.3
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-7050
- Weakness: CWE-122
- Affected product: Libpng
- Published:
- Last modified:
Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
Frequently asked questions
- What is CVE-2026-25646?
- LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
- How severe is CVE-2026-25646?
- CVE-2026-25646 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-25646 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-25646?
- CVE-2026-25646 affects Libpng. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-25646?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-25646 have an EU (EUVD) identifier?
- Yes. CVE-2026-25646 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-7050.
- When was CVE-2026-25646 published?
- CVE-2026-25646 was published on 2026-02-10 and last updated on 2026-06-30.
References
- https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
- https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3
- http://www.openwall.com/lists/oss-security/2026/02/09/7
- https://access.redhat.com/errata/RHSA-2026:10097
- https://access.redhat.com/errata/RHSA-2026:12274
- https://access.redhat.com/errata/RHSA-2026:14773
- https://access.redhat.com/errata/RHSA-2026:15087
- https://access.redhat.com/errata/RHSA-2026:16174
- https://access.redhat.com/errata/RHSA-2026:17596
- https://access.redhat.com/errata/RHSA-2026:3031
- https://access.redhat.com/errata/RHSA-2026:3405
- https://access.redhat.com/errata/RHSA-2026:3551
- https://access.redhat.com/errata/RHSA-2026:3573
- https://access.redhat.com/errata/RHSA-2026:3574
- https://access.redhat.com/errata/RHSA-2026:3575
- https://access.redhat.com/errata/RHSA-2026:3576
- https://access.redhat.com/errata/RHSA-2026:3577
- https://access.redhat.com/errata/RHSA-2026:3968
- https://access.redhat.com/errata/RHSA-2026:3969
- https://access.redhat.com/errata/RHSA-2026:4221
- https://access.redhat.com/errata/RHSA-2026:4222
- https://access.redhat.com/errata/RHSA-2026:4306
- https://access.redhat.com/errata/RHSA-2026:4501
- https://access.redhat.com/errata/RHSA-2026:4728
- https://access.redhat.com/errata/RHSA-2026:4729
- https://access.redhat.com/errata/RHSA-2026:4730
- https://access.redhat.com/errata/RHSA-2026:4731
- https://access.redhat.com/errata/RHSA-2026:4732
- https://access.redhat.com/errata/RHSA-2026:4756
- https://access.redhat.com/errata/RHSA-2026:5606
Affected products (1)
- cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
More vulnerabilities in Libpng
- CVE-2017-12652 — Critical (CVSS 9.8): libpng before 1.6.32 does not properly check the length of chunks against the user limit.
- CVE-2010-1205 — Critical (CVSS 9.8): Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications,…
- CVE-2018-14550 — High (CVSS 8.8): An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow…
- CVE-2015-8540 — High (CVSS 8.8): Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66,…
- CVE-2015-0973 — High (CVSS 8.8): Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows…
- CVE-2014-9495 — High (CVSS 8.8): Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when…
Other CWE-122 (Heap-based Buffer Overflow) vulnerabilities
- CVE-2026-46752 — Critical (CVSS 10.0): Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from…
- CVE-2026-24822 — Critical (CVSS 10.0): Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in ttttupup wxhelper (src modules). This vulnerability is…
- CVE-2025-23123 — Critical (CVSS 10.0): A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a…
- CVE-2022-34819 — Critical (CVSS 10.0): A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions < V3.3.46), SIMATIC CP 1243-1 (All versions <…
- CVE-2026-44050 — Critical (CVSS 9.9): A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote…
- CVE-2026-49841 — Critical (CVSS 9.8): FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to…
Browse all CWE-122 (Heap-based Buffer Overflow) vulnerabilities →