Home > Vulnerability Database > CVE-2026-25646

Mend.io Vulnerability Database

CVE-2026-25646

Good to know:

Date: February 9, 2026

In libpng through 1.6.45, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification.

Severity Score

7.0

Related Resources (4)

Url: https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

Url: https://seclists.org/oss-sec/2026/q1/156

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-25646

Url: https://www.mend.io/vulnerability-database/CVE-2026-25646

Severity Score

7.0

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Top Fix

Upgrade Version

Upgrade to version https://github.com/pnggroup/libpng.git - v1.6.55

Learn More

CVSS v3.1

Base Score:	7.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-25646

Good to know:

Date: February 9, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?