Bug 2438542 (CVE-2026-25646)

Summary: CVE-2026-25646 libpng: LIBPNG has a heap buffer overflow in png_set_quantize
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahughes, caswilli, crizzo, fferrari, fitzsim, gotiwari, gtanzill, jbuscemi, jgrulich, jhorak, kaycoth, khosford, kshier, mtorre, mvyas, neugens, pjindal, stcannon, teagle, tfitzsim, tpopela, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A heap based buffer overflow flaw has been discovered in LibPNG. Prior to version 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2438653, 2438654, 2438656, 2438657, 2438659, 2438660, 2438661, 2438662, 2438675, 2438676, 2438677, 2438678, 2438679, 2438680, 2438686, 2438655, 2438658, 2438663, 2438664, 2438665, 2438666, 2438667, 2438668, 2438669, 2438670, 2438671, 2438672, 2438673, 2438674, 2438681, 2438682, 2438683, 2438684, 2438685    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-10 18:01:50 UTC 
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
Comment 1 errata-xmlrpc 2026-02-23 01:40:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:3031 https://access.redhat.com/errata/RHSA-2026:3031
Comment 2 errata-xmlrpc 2026-02-26 07:21:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:3405 https://access.redhat.com/errata/RHSA-2026:3405
Comment 3 errata-xmlrpc 2026-03-02 15:27:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:3551 https://access.redhat.com/errata/RHSA-2026:3551
Comment 4 errata-xmlrpc 2026-03-02 19:53:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:3573 https://access.redhat.com/errata/RHSA-2026:3573
Comment 5 errata-xmlrpc 2026-03-02 19:59:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:3577 https://access.redhat.com/errata/RHSA-2026:3577
Comment 6 errata-xmlrpc 2026-03-03 00:06:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:3575 https://access.redhat.com/errata/RHSA-2026:3575
Comment 7 errata-xmlrpc 2026-03-03 00:37:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:3574 https://access.redhat.com/errata/RHSA-2026:3574
Comment 8 errata-xmlrpc 2026-03-03 01:00:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:3576 https://access.redhat.com/errata/RHSA-2026:3576
Comment 9 errata-xmlrpc 2026-03-09 01:28:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:3969 https://access.redhat.com/errata/RHSA-2026:3969
Comment 10 errata-xmlrpc 2026-03-09 01:50:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:3968 https://access.redhat.com/errata/RHSA-2026:3968
Comment 11 errata-xmlrpc 2026-03-10 17:54:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:4222 https://access.redhat.com/errata/RHSA-2026:4222
Comment 12 errata-xmlrpc 2026-03-10 18:20:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:4221 https://access.redhat.com/errata/RHSA-2026:4221
Comment 13 errata-xmlrpc 2026-03-11 11:20:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:4306 https://access.redhat.com/errata/RHSA-2026:4306
Comment 14 errata-xmlrpc 2026-03-17 09:34:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:4731 https://access.redhat.com/errata/RHSA-2026:4731
Comment 15 errata-xmlrpc 2026-03-17 09:35:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:4732 https://access.redhat.com/errata/RHSA-2026:4732
Comment 16 errata-xmlrpc 2026-03-17 09:52:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:4729 https://access.redhat.com/errata/RHSA-2026:4729
Comment 17 errata-xmlrpc 2026-03-17 10:07:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:4730 https://access.redhat.com/errata/RHSA-2026:4730
Comment 18 errata-xmlrpc 2026-03-17 10:13:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:4728 https://access.redhat.com/errata/RHSA-2026:4728
Comment 19 errata-xmlrpc 2026-03-17 13:06:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:4756 https://access.redhat.com/errata/RHSA-2026:4756
Comment 22 errata-xmlrpc 2026-04-02 11:04:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6439 https://access.redhat.com/errata/RHSA-2026:6439
Comment 23 errata-xmlrpc 2026-04-02 11:27:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6445 https://access.redhat.com/errata/RHSA-2026:6445
Comment 24 errata-xmlrpc 2026-04-02 12:02:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:6466 https://access.redhat.com/errata/RHSA-2026:6466
Comment 25 errata-xmlrpc 2026-04-02 12:10:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:6467 https://access.redhat.com/errata/RHSA-2026:6467
Comment 26 errata-xmlrpc 2026-04-02 12:14:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:6468 https://access.redhat.com/errata/RHSA-2026:6468
Comment 27 errata-xmlrpc 2026-04-02 12:15:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:6469 https://access.redhat.com/errata/RHSA-2026:6469
Comment 28 errata-xmlrpc 2026-04-08 11:54:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:7036 https://access.redhat.com/errata/RHSA-2026:7036
Comment 29 errata-xmlrpc 2026-04-08 12:00:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:7034 https://access.redhat.com/errata/RHSA-2026:7034
Comment 30 errata-xmlrpc 2026-04-08 12:09:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:7032 https://access.redhat.com/errata/RHSA-2026:7032
Comment 31 errata-xmlrpc 2026-04-08 12:09:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:7033 https://access.redhat.com/errata/RHSA-2026:7033
Comment 32 errata-xmlrpc 2026-04-08 12:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:7035 https://access.redhat.com/errata/RHSA-2026:7035
Comment 33 errata-xmlrpc 2026-04-09 08:24:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:6553 https://access.redhat.com/errata/RHSA-2026:6553
Comment 34 errata-xmlrpc 2026-04-16 10:24:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:7239 https://access.redhat.com/errata/RHSA-2026:7239
Comment 35 errata-xmlrpc 2026-04-16 10:56:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:7243 https://access.redhat.com/errata/RHSA-2026:7243
Comment 40 errata-xmlrpc 2026-04-30 12:10:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:10097 https://access.redhat.com/errata/RHSA-2026:10097
Comment 41 errata-xmlrpc 2026-05-08 20:56:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2026:12274 https://access.redhat.com/errata/RHSA-2026:12274
Comment 42 errata-xmlrpc 2026-05-13 13:54:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:15087 https://access.redhat.com/errata/RHSA-2026:15087
Comment 43 errata-xmlrpc 2026-05-13 14:16:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2026:14773 https://access.redhat.com/errata/RHSA-2026:14773
Comment 44 errata-xmlrpc 2026-05-20 13:27:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2026:17596 https://access.redhat.com/errata/RHSA-2026:17596