30-Year-Old Libpng Vulnerability Exposes Millions of Systems to Code Execution Attacks

A critical vulnerability has been uncovered in libpng, the official PNG reference library used by practically every operating system and web browser in existence.

The flaw, assigned CVE-2026-25646, is a heap buffer overflow in the png_set_quantize() function that allows attackers to crash applications or potentially execute arbitrary code.

The vulnerability is particularly notable for its longevity; it has existed since the function’s inception (when it was named png_set_dither()), affecting all prior versions of the library. Maintainers have released libpng 1.6.55 today to patch the issue, and immediate upgrades are recommended.

30-Year-Old “Legacy” Libpng Vulnerability

The flaw resides in png_set_quantize(), a low-level API function used to reduce the number of colors in an image (quantization) to match a display’s capabilities. A specific logic error allows an attacker to force the function into an infinite loop that eventually reads past the end of an internal heap-allocated buffer.

The trigger conditions are strict but valid under the PNG specification:

• The image must contain a PLTE (palette) chunk but no hIST (histogram) chunk.
• The application must request color quantization.
• The number of colors in the palette must be more than twice the maximum supported by the user’s display.

The vulnerability stems from a subtle mismatch in how color indices are handled during the “nearest color” quantization algorithm.

To optimize the reduction of the palette, png_set_quantize() groups similar colors using a “color distance” metric (the sum of absolute differences in RGB channels). It builds a hash table, essentially an array of linked lists, mapping these distances to pairs of colors in the palette.

The critical failure occurs in how this table is populated versus how it is accessed:

1. Population: When building the hash table, the code stores the current indices of the colors in the intermediate palette.
2. Pruning: During the palette reduction loop, the code iterates through this table to find colors to eliminate. However, the loop logic assumes the table contains original palette indices. It attempts to convert these stored indices to their current positions using the index_to_palette lookup table to verify if the colors are still present.

Because the code misinterprets “current” indices as “original” ones, the validity checks fail. The algorithm becomes unable to identify removable colors, causing the loop to continue indefinitely.

The variable max_d (the maximum search distance) increments in an attempt to find more candidates, eventually exceeding the fixed size of the hash table (769 pointers). This forces the program to read memory well past the allocated buffer.

In the most likely scenario, this vulnerability causes a deterministic crash (Denial of Service) as the application attempts to read unmapped memory. However, the advisory warns that the impact could be severe:

The fix involves modifying the hash table population logic to store original color indices, ensuring consistency with the rest of the function’s logic. This patch is included in libpng 1.6.55.

Developers and users are strongly advised to update to version 1.6.55 immediately, as the ubiquity of libpng makes this a high-value target for exploit development.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.