CVE-2026-25646
Published: 10 February 2026
Summary
CVE-2026-25646 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Libpng Libpng. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25646 is an out-of-bounds read vulnerability in the LIBPNG reference library, which applications use to read, create, and manipulate PNG raster image files. In versions prior to 1.6.55, the png_set_quantize() API function mishandles certain palettes when called without a histogram and the number of colors exceeds twice the maximum supported by the user's display. This causes an infinite loop that reads past the end of a heap-allocated internal buffer. The triggering images are valid per the PNG specification. The vulnerability is associated with CWE-122 (heap-based buffer overflow) and CWE-126 (buffer over-read), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability without privileges or user interaction by supplying a specially crafted PNG image to a vulnerable application that processes it via LIBPNG's png_set_quantize() function under the specified conditions. Successful exploitation leads to high-impact confidentiality, integrity, and availability consequences, potentially including information disclosure from out-of-bounds reads, memory corruption, or denial of service via the infinite loop and crash.
The vulnerability is fixed in LIBPNG version 1.6.55, as detailed in the project's GitHub security advisory (GHSA-g8hp-mq4h-rqm3) and the fixing commit (01d03b8453eb30ade759cd45c707e5a1c7277d88). Security practitioners should update to 1.6.55 or later and audit applications using LIBPNG for PNG palette quantization operations, per discussions on the oss-security mailing list.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7050
Vulnerability details
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with…
more
no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation via crafted PNG supplied to any libpng-processing application (server or client) directly enables T1190 (public-facing apps) and T1203 (client execution); OOB read + memory corruption/DoS impacts are consistent with these initial access/execution vectors but lack detail for post-exploitation mappings.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the out-of-bounds read and infinite loop flaw in LIBPNG's png_set_quantize() function by requiring updates to version 1.6.55 or later.
Enables identification of vulnerable LIBPNG instances through vulnerability scanning, facilitating timely remediation of this specific CVE.
Implements runtime memory protections like ASLR and heap isolation to limit successful exploitation of the heap buffer over-read.