Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAAoVtZyhq57wdw6+c+FR-W=a6U0rBdeZsa3GhR_Kd+FerYPbwQ@mail.gmail.com>
Date: Tue, 10 Feb 2026 01:18:13 +0200
From: Cosmin Truta <ctruta@...il.com>
To: oss-security@...ts.openwall.com
Subject: libpng 1.6.55: Heap buffer overflow vulnerability fixed: CVE-2026-25646

Hello, everyone,

libpng 1.6.55 has been released to address a heap buffer overflow
vulnerability in the low-level API. This release fixes one
high-severity CVE affecting all versions of libpng.

CVE-2026-25646 (High): Heap buffer overflow in png_set_quantize
when called with no histogram and a palette larger than twice the
requested maximum number of colors.

The vulnerability exists in the color quantization code that reduces
the number of colors in a palette. A logic error in the color
distance table causes current palette indices to be stored where
original indices are expected. After palette entries are swapped
during color pruning, the index mismatch causes the pruning loop
to fail to find valid candidates, the search bound grows past the
end of a heap-allocated buffer, and out-of-bounds reads occur.

The images that trigger this vulnerability are valid per the PNG
specification. The bug has existed since the initial version of
png_set_quantize (then called png_set_dither).

Unlike the recent CVEs fixed in libpng 1.6.51, 1.6.52 and 1.6.54,
which affected the simplified API, this vulnerability affects the
low-level function png_set_quantize.

This can result in denial of service and potentially information
disclosure or arbitrary code execution via heap corruption.

GitHub Security Advisory:
- CVE-2026-25646:
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

Fix:
- https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88

Release: https://github.com/pnggroup/libpng/releases/tag/v1.6.55

Credit: Joshua Inscoe (reporter and fixer)

Users should upgrade to libpng 1.6.55 immediately.

---
Cosmin Truta
libpng maintainer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.