VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-xyhj-84d1-dqh3

Essentials
Severities (22)
References (53)
Severity details (6)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-xyhj-84d1-dqh3
Aliases	CVE-2026-25646
Summary	libpng: LIBPNG has a heap buffer overflow in png_set_quantize
Status	Published
Exploitability	0.5
Weighted Severity	7.5
Risk	3.8
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-125	Out-of-bounds Read
CWE-122	Heap-based Buffer Overflow
CWE-126	Buffer Over-read

System	Score	Found at
cvssv3	7.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25646.json
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00093	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
epss	0.00093	https://api.first.org/data/v1/epss?cve=CVE-2026-25646
cvssv3.1	7	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv4	8.3	https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
ssvc	Track	https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
cvssv4	8.3	https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3
ssvc	Track	https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25646.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-25646
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25646
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
01d03b8453eb30ade759cd45c707e5a1c7277d88		https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
1127566		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127566
2438542		https://bugzilla.redhat.com/show_bug.cgi?id=2438542
GHSA-g8hp-mq4h-rqm3		https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3
RHSA-2026:10097		https://access.redhat.com/errata/RHSA-2026:10097
RHSA-2026:3031		https://access.redhat.com/errata/RHSA-2026:3031
RHSA-2026:3405		https://access.redhat.com/errata/RHSA-2026:3405
RHSA-2026:3551		https://access.redhat.com/errata/RHSA-2026:3551
RHSA-2026:3573		https://access.redhat.com/errata/RHSA-2026:3573
RHSA-2026:3574		https://access.redhat.com/errata/RHSA-2026:3574
RHSA-2026:3575		https://access.redhat.com/errata/RHSA-2026:3575
RHSA-2026:3576		https://access.redhat.com/errata/RHSA-2026:3576
RHSA-2026:3577		https://access.redhat.com/errata/RHSA-2026:3577
RHSA-2026:3968		https://access.redhat.com/errata/RHSA-2026:3968
RHSA-2026:3969		https://access.redhat.com/errata/RHSA-2026:3969
RHSA-2026:4221		https://access.redhat.com/errata/RHSA-2026:4221
RHSA-2026:4222		https://access.redhat.com/errata/RHSA-2026:4222
RHSA-2026:4306		https://access.redhat.com/errata/RHSA-2026:4306
RHSA-2026:4501		https://access.redhat.com/errata/RHSA-2026:4501
RHSA-2026:4728		https://access.redhat.com/errata/RHSA-2026:4728
RHSA-2026:4729		https://access.redhat.com/errata/RHSA-2026:4729
RHSA-2026:4730		https://access.redhat.com/errata/RHSA-2026:4730
RHSA-2026:4731		https://access.redhat.com/errata/RHSA-2026:4731
RHSA-2026:4732		https://access.redhat.com/errata/RHSA-2026:4732
RHSA-2026:4756		https://access.redhat.com/errata/RHSA-2026:4756
RHSA-2026:5606		https://access.redhat.com/errata/RHSA-2026:5606
RHSA-2026:6439		https://access.redhat.com/errata/RHSA-2026:6439
RHSA-2026:6445		https://access.redhat.com/errata/RHSA-2026:6445
RHSA-2026:6466		https://access.redhat.com/errata/RHSA-2026:6466
RHSA-2026:6467		https://access.redhat.com/errata/RHSA-2026:6467
RHSA-2026:6468		https://access.redhat.com/errata/RHSA-2026:6468
RHSA-2026:6469		https://access.redhat.com/errata/RHSA-2026:6469
RHSA-2026:6553		https://access.redhat.com/errata/RHSA-2026:6553
RHSA-2026:6732		https://access.redhat.com/errata/RHSA-2026:6732
RHSA-2026:7032		https://access.redhat.com/errata/RHSA-2026:7032
RHSA-2026:7033		https://access.redhat.com/errata/RHSA-2026:7033
RHSA-2026:7034		https://access.redhat.com/errata/RHSA-2026:7034
RHSA-2026:7035		https://access.redhat.com/errata/RHSA-2026:7035
RHSA-2026:7036		https://access.redhat.com/errata/RHSA-2026:7036
RHSA-2026:7239		https://access.redhat.com/errata/RHSA-2026:7239
RHSA-2026:7243		https://access.redhat.com/errata/RHSA-2026:7243
RHSA-2026:8746		https://access.redhat.com/errata/RHSA-2026:8746
RHSA-2026:8747		https://access.redhat.com/errata/RHSA-2026:8747
RHSA-2026:8748		https://access.redhat.com/errata/RHSA-2026:8748
RHSA-2026:9254		https://access.redhat.com/errata/RHSA-2026:9254
RHSA-2026:9255		https://access.redhat.com/errata/RHSA-2026:9255
USN-8035-1		https://usn.ubuntu.com/8035-1/
USN-8039-1		https://usn.ubuntu.com/8039-1/
USN-8081-1		https://usn.ubuntu.com/8081-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25646.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T15:31:50Z/ Found at https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T15:31:50Z/ Found at https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

Exploit Prediction Scoring System (EPSS)

Percentile	0.22976
EPSS Score	0.00077
Published At	April 7, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:31:30.808354+00:00	RedHat Importer	Import	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25646.json	38.0.0