30-Year-Old Bug: High-Severity libpng Flaw (CVSS 8.3) Exposes Millions of Apps

A high-severity vulnerability has been unearthed in libpng, the official and ubiquitous reference library for handling PNG images. The flaw, tracked as CVE-2026-25646, carries a CVSS score of 8.3 and has existed in the codebase since its very inception, affecting every version of the library released over the past three decades.

For the countless applications that rely on libpng to display images—from web browsers to operating systems—this discovery represents a significant “legacy” risk that must be addressed immediately.

The vulnerability lies within the png_set_quantize() function (formerly known as png_set_dither), which is responsible for reducing the number of colors in an image to match a display’s capabilities.

The flaw is a “Heap buffer overflow,” specifically an out-of-bounds read that occurs under a precise set of conditions. If an application tries to process a specially crafted PNG file—specifically one with a palette but no histogram—the function can enter an “infinite loop that reads past the end of an internal heap-allocated buffer”.

The trigger conditions are specific but valid under the PNG specification:

1. The image is RGB(A) or indexed-color with a PLTE chunk but no hIST chunk.
2. The caller requests color quantization.
3. The maximum number of colors allowed is set to “less than half the palette size”.

While the most immediate outcome of an exploit is a Denial-of-Service (DoS) crash due to the infinite loop, the potential impact goes much deeper.

The advisory warns that sophisticated attackers could weaponize this flaw. “In the worst case scenario, with proper heap grooming, an attacker could read and write… potentially leading to information disclosure or arbitrary code execution,” the report states.

By carefully manipulating the memory layout (“heap grooming”) before the vulnerable function is called, an attacker could theoretically hijack the application processing the image.

The advisory notes that “This vulnerability has existed since the initial version of png_set_quantize()… Therefore, all libpng versions are affected”. This means the bug has been lurking in one of the world’s most widely used image libraries for over 28 years, unnoticed until now.

The maintainers have released a fix in libpng version 1.6.55.

Users and developers are urged to upgrade immediately. Any version 1.6.54 and earlier is vulnerable. Given the ubiquity of libpng, this patch is likely to trigger a wave of downstream updates across the software ecosystem.

Related Posts:

• CVE-2023-20569 (Inception): New Transient Execution Attack in AMD Zen CPUs
• Cyber Alert: Bumblebee Malware Targets US Organizations
• MediaTek July 2025 Security Bulletin: Heap Overflows, WLAN Flaws, and Bluetooth Risks Threaten Billions of Devices
• CVE-2023-4863: Critical Chrome 0-day Bug Under Active Attacks
• Critical Kibana Flaws: CVE-2025-2135 (CVSS 9.9) Allows Heap Corruption & RCE; Open Redirect Also Patched