A Vulnerability in libpng Exposes Millions of Apps A serious flaw has been discovered in libpng, the official PNG reference library that is utilized by almost all web browsers and operating systems This article explores vulnerability png_set_quantize uses. . A heap buffer overflow in the png_set_quantize() function is the vulnerability, which has been assigned CVE-2026-25646.

It enables attackers to crash applications or possibly run arbitrary code. Find out more Training in ethical hacking Solutions for Zero Trust Network Access Consulting for computer security The vulnerability is especially noteworthy because it has been present since the function's creation (when it was called png_set_dither()) and has affected all previous library versions. To fix the problem, maintainers released libpng 1.6.55 today; upgrades are advised right away.

30-Year-Old "Legacy" Libpng Vulnerability The low-level API function png_set_quantize(), which quantizes images to match display capabilities, is the source of the flaw. An attacker can force the function into an endless loop that eventually reads past the end of an internal heap-allocated buffer by committing a specific logic error. According to the PNG specification, the trigger conditions are stringent but legitimate: There must be a PLTE (palette) chunk in the image, but not a hIST (histogram) chunk.

Color quantization must be requested by the application. The palette's color count must be more than twice as many as the user's display can support. A subtle discrepancy in the way color indices are handled during the "nearest color" quantization algorithm is the source of the vulnerability.

png_set_quantize() uses a "color distance" metric—the sum of absolute differences in RGB channels—to group similar colors in order to maximize palette reduction. It maps these distances to color pairs in the palette by creating a hash table, which is basically an array of linked lists. The key flaw lies in the way this table is accessed as opposed to how it is populated: Population: The code saves the current color indices in the intermediate palette when creating the hash table.

Pruning: The code iterates through this table to identify colors to remove during the palette reduction loop. The loop logic, however, makes the assumption that the table has the original palette indices.

To see if the colors are still there, it uses the index_to_palette lookup table to try to convert these stored indices to their current locations. The validity checks are unsuccessful because the code interprets "current" indices incorrectly as "original" ones. The loop keeps going indefinitely because the algorithm can no longer recognize detachable colors.

In an effort to locate more candidates, the variable max_d (the maximum search distance) increases until it surpasses the hash table's fixed size (769 pointers). As a result, the program is forced to read memory far beyond the buffer that has been allocated. Find out more Interface for application programming Consulting services for cybersecurity VPN services As the application tries to read unmapped memory, this vulnerability most likely results in a deterministic crash (Denial of Service).

But the advisory cautions that the consequences could be dire: To fix this, the hash table population logic must be changed to store the original color indices while maintaining consistency with the logic of the rest of the function. Libpng 1.6.55 includes this patch. The widespread use of libpng makes it a high-value target for exploit development, so developers and users are strongly encouraged to update to version 1.6.55 right away.

X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.