PT-2026-7243 · Libpng+4 · Libpng+4
Pwnalone
·
Published
2026-01-01
·
Updated
2026-04-12
·
CVE-2026-25646
CVSS v4.0
8.3
High
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
libpng versions prior to 1.6.55
Description
LIBPNG is a library used by applications to read, create, and manipulate PNG raster image files. A flaw exists in the
png set quantize() function that can lead to a denial-of-service condition or potentially arbitrary code execution. This issue is triggered when the function is called without a histogram and with a palette that exceeds twice the maximum number of colors supported by the user’s display. The vulnerability stems from an out-of-bounds read within the function, caused by specially crafted, yet valid, PNG files. The issue has been present in the library for approximately 30 years. The png set quantize() function is susceptible to a heap buffer overflow.Recommendations
Versions prior to 1.6.55 should be upgraded to version 1.6.55 or later.
Exploit
Fix
DoS
RCE
Heap Based Buffer Overflow
Buffer Over-read
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linuxmint
Red Os
Rocky Linux
Ubuntu
Libpng