libpng 1.6.55: Heap buffer overflow vulnerability fixed: CVE-2026-25646

[Cosmin Truta <ctruta () gmail com>]

Hello, everyone,

libpng 1.6.55 has been released to address a heap buffer overflow
vulnerability in the low-level API. This release fixes one
high-severity CVE affecting all versions of libpng.

CVE-2026-25646 (High): Heap buffer overflow in png_set_quantize
when called with no histogram and a palette larger than twice the
requested maximum number of colors.

The vulnerability exists in the color quantization code that reduces
the number of colors in a palette. A logic error in the color
distance table causes current palette indices to be stored where
original indices are expected. After palette entries are swapped
during color pruning, the index mismatch causes the pruning loop
to fail to find valid candidates, the search bound grows past the
end of a heap-allocated buffer, and out-of-bounds reads occur.

The images that trigger this vulnerability are valid per the PNG
specification. The bug has existed since the initial version of
png_set_quantize (then called png_set_dither).

Unlike the recent CVEs fixed in libpng 1.6.51, 1.6.52 and 1.6.54,
which affected the simplified API, this vulnerability affects the
low-level function png_set_quantize.

This can result in denial of service and potentially information
disclosure or arbitrary code execution via heap corruption.

GitHub Security Advisory:
- CVE-2026-25646:
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

Fix:
- https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88

Release: https://github.com/pnggroup/libpng/releases/tag/v1.6.55

Credit: Joshua Inscoe (reporter and fixer)

Users should upgrade to libpng 1.6.55 immediately.

---
Cosmin Truta
libpng maintainer