- What: A security update addresses a buffer overflow vulnerability in libpng.
- Impact: Successful exploitation could lead to denial of service or arbitrary code execution.
[SECURITY] [DSA 6138-1] libpng1.6 security update To : debian-security-announce@lists.debian.org Subject : [SECURITY] [DSA 6138-1] libpng1.6 security update From : Moritz Muehlenhoff < jmm@debian.org > Date : Tue, 17 Feb 2026 21:51:59 +0000 Message-id : < [🔎] aZTi_3FYpL9KgXao@seger.debian.org > Reply-to : debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6138-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 17, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libpng1.6 CVE ID : CVE-2026-25646 A buffer overflow was discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could result in denial of service or potentially the execution of arbitrary code. For the oldstable distribution (bookworm), this problem has been fixed in version 1.6.39-2+deb12u3. This update also includes two additional security fixes (CVE-2026-22801 and CVE-2026-22695), which had been lined up for the next Bookworm point release. For the stable distribution (trixie), this problem has been fixed in version 1.6.48-1+deb13u3. This update also includes two additional security fixes (CVE-2026-22801 and CVE-2026-22695), which had been lined up for the next Trixie point release. We recommend that you upgrade your libpng1.6 packages. For the detailed security status of libpng1.6 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libpng1.6 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmmU4uUACgkQEMKTtsN8 TjYlKg/+Kx2bRn9RC/9E4YofFkpn52B1dXN6Qd/1W6dxvhlu5AmLGehlwZcJTg8U 3OhmZGJkPOwWq+UBN7ujUwZFfCsON3pHFSx+D6ok8LYEuJXPU5RNoNtDt9qIq0kw tsEWermOBQ23QweGfuAILtwXwFZB+abvUS4tf3MJBMLXVxAxAu09nlTQdzjKzARQ HLTDSKbfUnrEGBUY3ZkZCgmKD8QPFI+8jZy5BOzfUHytZ16za6aGPUt01531EjRw IipTPI7XN5Yn0MDUcV+NbNWRZJn0s3S+3KhRy4TW2R1CG8FKV77yxbPLA/OgwfnX cdq39sa+6Y3i4v2JXPgIbzej/4DbbhhGrziVa6tAiCcg4kBo/XDRTSiZJ9GtS9L9 QX5nsCh7HYcyGO+CL+f998zFUsARjVG2S3v9UdXqoUVijjYqYyk20EJGhhAatjgW jMjpWefcxoGSyPXDmA8C/7+OO6v2w11OTP+i1k+uDMFs451xpjuFjKjOMOTPNq72 GeVny+Z8m2ZlJNaEYoOeBeteCU83z3Tkb4wTQd7QnCwl9GuswbSIexUKzBK7XTAt nzRpVvb6yML1Qj72j1Jy88Arc+fFC0OJOJLSOMpRNiQ6O4d9c4HPkatggDXrbKUU elGB2scxJf3LWFgZj7ncimtsRd9nyg1P9WkBCMr4L9UQ5D6JoeQ= =kZeK -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Moritz Muehlenhoff (on-list) Moritz Muehlenhoff (off-list) Prev by Date: [SECURITY] [DSA 6137-1] roundcube security update Previous by thread: [SECURITY] [DSA 6137-1] roundcube security update Index(es): Date Thread