HighPublic exploit

Out-of-bounds read in libpng png_set_quantize()

IdentifiersCVE-2026-25646CWE-125

CVE-2026-25646 is a high-severity memory-safety flaw in libpng, the reference library for reading and writing PNG images. The vulnerability is in the png_set_quantize() API function (formerly png_set_dither). In affected versions prior to 1.6.55, when png_set_quantize() is invoked without a histogram and the palette contains more than twice the maximum number of colors supported by the caller's display configuration, certain valid PNG palettes can cause the function to enter an infinite loop and read past the end of an internal heap-allocated buffer. The issue is described as an out-of-bounds read / heap buffer overflow condition during palette quantization. Triggering images are valid under the PNG specification, and the flaw reportedly existed since the initial implementation of png_set_quantize().

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The most immediate and likely impact is denial of service due to process crash or hang while parsing a crafted PNG image. Because the bug performs out-of-bounds reads from heap memory, there is also potential for unintended memory disclosure. Supporting content further notes that, with favorable heap layout or heap grooming, the condition could potentially be leveraged toward arbitrary code execution, although the provided material does not establish that code execution has been demonstrated in practice.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by avoiding or strictly limiting processing of untrusted PNG files, especially in applications that call png_set_quantize() or perform palette quantization on attacker-controlled images. Disable or bypass quantization paths where feasible, isolate image parsing in sandboxed or low-privilege processes, and apply memory-safety hardening and crash containment controls to reduce exploitability. No specific complete workaround is provided in the cited advisory.

Remediation

Patch, then assume compromise.

Upgrade libpng to version 1.6.55 or later, which contains the upstream fix for CVE-2026-25646. Downstream consumers should apply vendor-supplied patched packages where direct library upgrade is not practical. The provided Debian advisory recommends upgrading libpng1.6 to 1.6.39-2+deb12u3 on oldstable (bookworm) or 1.6.48-1+deb13u3 on stable (trixie). Rebuild or redeploy applications that statically link vulnerable libpng versions so the fixed library is actually incorporated.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LibpngLibpngapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

29 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

29 SOURCESView more in app

the hacker newsNews

Feb 16, 2026

Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware

Unknown (listed as a trending CVE for libpng without details in the provided content).

security online infoNews

Feb 10, 2026

30-Year-Old Bug: High-Severity libpng Flaw (CVSS 8.3) Exposes Millions of Apps

A high-severity libpng vulnerability in png_set_quantize() (aka png_set_dither) that can trigger an infinite loop with out-of-bounds heap reads when processing specially crafted PNGs (palette present without histogram), leading to DoS and potentially information disclosure or arbitrary code execution with heap grooming.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18