CVE-2026-25646

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
chromium-browser	26.04 LTS resolute	Not affected
	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
firefox	26.04 LTS resolute	Not affected
	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
libpng	26.04 LTS resolute	Not in release
	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	16.04 LTS xenial	Fixed 1.2.54-1ubuntu1.1+esm2
	14.04 LTS trusty	Fixed 1.2.50-1ubuntu2.14.04.3+esm1
libpng1.6	26.04 LTS resolute	Fixed 1.6.55-1
	25.10 questing	Fixed 1.6.50-1ubuntu0.4
	24.04 LTS noble	Fixed 1.6.43-5ubuntu0.5
	22.04 LTS jammy	Fixed 1.6.37-3ubuntu0.4
	20.04 LTS focal	Fixed 1.6.37-2ubuntu0.1~esm2
	18.04 LTS bionic	Fixed 1.6.34-1ubuntu0.18.04.2+esm2
	16.04 LTS xenial	Fixed 1.6.20-2ubuntu0.1~esm3
thunderbird	26.04 LTS resolute	Not affected
	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libpng1.6	Upstream: 01d03b8

Severity score breakdown

CVSS version:

Base score 8.3 · High

Base metrics

Parameter	Value
Attack vector	Network
Attack complexity	High
Attack requirements	Present
Privileges required	None
User interaction	None
Vulnerable system - Confidentiality impact	Low
Vulnerable system - Integrity impact	Low
Vulnerable system - Availability impact	High
Subsequent system - Confidentiality impact	None
Subsequent system - Integrity impact	None
Subsequent system - Availability impact	None

Scores

Parameter	Value
Base score	8.3 · High
Base + Threat score	-
Base + Environmental score	-
Base + Threat + Environmental score	-

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Base score 7.0 · High

Base metrics

Parameter	Value
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality impact	Low
Integrity impact	Low
Availability impact	High

Scores

Parameter	Value
Base score	7.0 · High
Exploitability score	-
Impact score	-

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

References

Related Ubuntu Security Notices (USN)

USN-8035-1
libpng vulnerabilities
12 February 2026

USN-8039-1
libpng vulnerability
12 February 2026

USN-8081-1
libpng vulnerabilities
11 March 2026