CVE-2026-25646: LIBPNG has a heap buffer overflow in png_set_quantize
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
Security readout for executives and security teams
Plain-English summary
CVE-2026-25646 affects libpng before 1.6.55, a widely used PNG image library. A specially crafted but valid PNG palette can make a vulnerable code path loop and read beyond a heap buffer. The main business risk is disruption in systems that process untrusted PNG files.
Executive priority
Treat as high priority for image-processing services and internet-facing upload workflows. The available evidence supports patching urgency, not emergency incident response, because active exploitation is not shown in the provided sources.
Technical view
The flaw is in png_set_quantize() when called with no histogram and a palette larger than twice the display maximum. Certain valid palettes can trigger an infinite loop and out-of-bounds heap read. Sources list CVSS 4.0 score 8.3 and availability impact as high. It is fixed in libpng 1.6.55.
Likely exposure
Exposure is most likely in applications, libraries, containers, or OS packages using libpng before 1.6.55 and processing untrusted PNGs through the affected quantization API path. Not every libpng consumer is necessarily exposed; API usage matters.
Exploitation context
The bundle does not show CISA KEV listing or cited active exploitation. Exploitation requires specific conditions: vulnerable libpng, the png_set_quantize() path, no histogram, and palette characteristics described by the advisory. Public sources here do not establish weaponized exploitation.
Researcher notes
The vulnerable condition is narrow but reachable with valid PNG files under specific png_set_quantize() usage. Focus analysis on call sites, bundled libpng copies, and downstream vendor backports. The source bundle contains incomplete product-specific exposure details outside libpng and Red Hat advisories.
Mitigation direction
Upgrade libpng to 1.6.55 or later where directly managed.
Apply vendor-patched OS packages, including relevant Red Hat errata where applicable.
Check distribution advisories for backported fixes and package-specific status.
Prioritize services that accept PNG uploads or process external images.
Retire or rebuild containers carrying vulnerable libpng versions.
Validation and detection
Inventory libpng versions across hosts, containers, and bundled application dependencies.
Confirm whether applications call png_set_quantize() on untrusted PNG input.
Verify patched packages map to vendor advisories or libpng 1.6.55.
Review SBOMs and image-processing dependencies for embedded libpng copies.
Document any non-exposed systems where the affected API path is unused.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-122: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-122 · source CWE mapping
Heap-based Buffer Overflow
Heap-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Buffer Over-read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.