A high-severity vulnerability has been unearthed in libpng, the PNG image handling library, tracked as CVE-2026-25646 with a CVSS score of 8.3 and having existed in the codebase since its inception, affecting every version released over the past three decades.
The flaw resides in the png_set_quantize() function and is a heap buffer overflow that can cause an infinite loop, potentially allowing an attacker to read and write memory and trigger information disclosure or arbitrary code execution under certain conditions. The trigger conditions include processing a palette image with no histogram and specific quantisation requests, with the maximum number of colours set to less than half the palette size.
The maintainers have released a fix in libpng version 1.6.55, and users of any version 1.6.54 and earlier are advised to upgrade immediately, given the library’s ubiquity and downstream impact across software ecosystems. The advisory notes that the bug has been present for about 28 years, meaning many applications relying on libpng could be affected unless updated.