Researchers unearth 30-year-old vulnerability in libpng library
Summary
A 30-year-old heap buffer overflow vulnerability was found in the libpng library. The vulnerability, CVE-2026-25646, could cause applications to crash, extract information, or trigger remote code execution when processing maliciously crafted PNG images, but exploitation is not trivial.
IFF Assessment
FOE
A remote code execution vulnerability, even with caveats about exploitation difficulty, is bad news for defenders.
Severity
9.8
Critical
(AI Estimated)
Defender Context
This vulnerability requires patching libpng to version 1.6.55 or later. Defenders should prioritize systems that process PNG images from untrusted sources. While exploitation is difficult, the widespread use of libpng makes this a significant issue to address.