35115 – libpng new security issue CVE-2026-25646

Bug 35115 - libpng new security issue CVE-2026-25646

Summary: libpng new security issue CVE-2026-25646

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-02-10 09:24 CET by Nicolas Salguero
Modified:	2026-02-12 06:55 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	libpng-1.6.38-1.3.mga9.src.rpm
CVE:	CVE-2026-25646
Status comment:

Flags:	andrewsfarm: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-02-10 09:24:24 CET

Reference: https://www.openwall.com/lists/oss-security/2026/02/09/7

Nicolas Salguero 2026-02-10 09:24:56 CET

Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => libpng-1.6.53-2.mga10.src.rpm, libpng-1.6.38-1.3.mga9.src.rpm
CVE: (none) => CVE-2026-25646

Comment 1 Nicolas Salguero 2026-02-10 13:24:31 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap buffer overflow in png_set_quantize when called with no histogram and a palette larger than twice the requested maximum number of colors. (CVE-2026-25646)

References:
https://www.openwall.com/lists/oss-security/2026/02/09/7
========================

Updated packages in core/updates_testing:
========================
lib(64)png16_16-1.6.38-1.4.mga9
lib(64)png-devel-1.6.38-1.4.mga9

from SRPM:
libpng-1.6.38-1.4.mga9.src.rpm

Source RPM: libpng-1.6.53-2.mga10.src.rpm, libpng-1.6.38-1.3.mga9.src.rpm => libpng-1.6.38-1.3.mga9.src.rpm
Flags: affects_mga9+ => (none)
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED

Comment 2 Lewis Smith 2026-02-10 17:00:24 CET

Thank you Nicolas for doing this so quickly.

Assignee: bugsquad => qa-bugs

Comment 3 PC LX 2026-02-11 11:32:08 CET

Installed and tested without issues.

Tested using gimp.
Confirmed that gimp loaded the lib64png16_16 library using strace.
Loaded several png files, and saved them to png files, with various random settings.
Check the saved images using gwenview.
No issues found.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.120-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Jan 14 01:59:53 UTC 2026 x86_64 GNU/Linux
$ rpm -qa | grep -P 'lib.*png16_16'
lib64png16_16-1.6.38-1.4.mga9
libpng16_16-1.6.38-1.4.mga9
$ strace -o ~/tmp/gimp.strace gimp
<SNIP>
$ grep -P openat.*libpng gimp.strace
openat(AT_FDCWD, "/usr/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3
$ rpm -qf /usr/lib64/libpng16.so.16
lib64png16_16-1.6.38-1.4.mga9

CC: (none) => mageia

Comment 4 Thomas Andrews 2026-02-11 17:18:54 CET

No installation issues. Used ImageMagick for testing. Converted several .jpgs to png, and other pngs to gif. Displayed all in Gwenview with no issues.

This looks OK. Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
Flags: (none) => test_passed_mga9_64+
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Herman Viaene 2026-02-11 17:25:06 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Opened png file OK in inkscape under strace, shows use of the lib.
In view of tests above, good to go.

CC: (none) => herman.viaene

katnatek 2026-02-11 21:31:22 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2026-02-12 06:55:34 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0038.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.