Developers have resolved a legacy flaw in the widely used libpng open-source library that existed since the software was released nearly 30 years ago.
The heap buffer overflow in libpng would cause applications on unpatched systems to crash when presented with maliciously crafted PNG graphic images. In worse case scenarios, the CVE-2026-25646 vulnerability could be abused to extract information or trigger remote code execution.
The most serious repercussions of the flaw would be possible only if proceeded by careful heap grooming preparation by a potential attack, so exploitation is far from trivial.
Images capable of exploiting the vulnerability would still need to be valid PNG files. The vulnerability is fixed in libpng version 1.6.55.
Libpng is a reference library that allows applications to read or manipulate PNG raster image files. The technology is bundled with many Linux- and Unix-based operating systems, including Red Hat and Debian.
The security flaw exists in a function called png_set_quantize, which is used for reducing the number of colors in PNG images, and present in all versions of libpng prior to version 1.6.55.
“When the function is called with no histogram and the number of colours in the palette is more than twice the maximum supported by the user’s display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer,” an advisory on the flaw explains.
Security researchers have released a proof of concept for the vulnerability to demonstrate their concern.
Threat levels
The flaw should not be overlooked but is certainly no reason for panic, according to security experts.
“While it’s true this bug existed in the libpng library for three decades, this is not a doomsday-level threat,” said Satnam Narang, senior staff research engineer at Tenable, the firm behind the Nessus vulnerability assessment scanner.
The vulnerable png_set_quantize function, previously called png_set_dither, is rarely used and exploitation of the flaw is tricky.
These factors lower the true severity of this flaw despite the “high” severity rating and CVSS score of 8.3, according to Narang.
“While it is still important to patch flaws like this one as part of the normal patch management process, it shouldn’t be prioritized over vulnerabilities in edge-network devices that are being targeted by nation-state threat actors and ransomware affiliates,” Narang advised.
AI-enabled bug hunting threat
The discovery of the flaw highlights the uncomfortable truth that there are many lingering vulnerabilities in open-source software libraries — dormant bugs that the wider use of AI tools is likely to unearth at greater cadence in future.
“In combination with the rapid improvement of large language models, it’s likely we’ll see the discovery of a plethora of bugs in the coming months, just as Anthropic’s Claude Opus 4.6 was able to find 500 high-severity zero-days,” Narang told CSO. “Some of those bugs may be exploited by threat actors, instead of being disclosed via coordination.”