CVE-2026-25646
Modified Modified - Updated After Analysis

Out-of-Bounds Read in LIBPNG png_set_quantize() Causes Infinite Loop

Vulnerability report for CVE-2026-25646, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-10

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-10
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-02-10
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libpng libpng to 1.6.55 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the LIBPNG library, specifically in the png_set_quantize() API function before version 1.6.55. When this function is called without a histogram and the palette contains more than twice the maximum number of colors supported by the user's display, certain valid PNG images can cause the function to enter an infinite loop. This loop results in an out-of-bounds read past the end of an internal heap-allocated buffer.

Impact Analysis

The vulnerability can cause an application using LIBPNG to enter an infinite loop and perform out-of-bounds memory reads. This can lead to application crashes, denial of service, or potentially expose sensitive memory contents depending on the context in which the library is used.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update the LIBPNG library to version 1.6.55 or later, where the out-of-bounds read issue in the png_set_quantize() function is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25646. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart