png_set_quantize, which is used for reducing the number of colors in PNG images, and present in all versions of libpng prior to version 1.6.55.”When the function is called with no histogram and the number of colours in the palette is more than twice the maximum supported by the user’s display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer,” an advisory on the flaw explains.Security researchers have released a proof of concept for the vulnerability to demonstrate their concern. The flaw should not be overlooked but is certainly no reason for panic, according to security experts.”While it’s true this bug existed in the libpng library for three decades, this is not a doomsday-level threat,” said Satnam Narang, senior staff research engineer at Tenable, the firm behind the Nessus vulnerability assessment scanner.The vulnerable png_set_quantize function, previously called png_set_dither, is rarely used and exploitation of the flaw is tricky.These factors lower the true severity of this flaw despite the “high” severity rating and CVSS score of 8.3, according to Narang.”While it is still important to patch flaws like this one as part of the normal patch management process, it shouldn’t be prioritized over vulnerabilities in edge-network devices that are being targeted by nation-state threat actors and ransomware affiliates,” Narang advised.
AI-enabled bug hunting threat: The discovery of the flaw highlights the uncomfortable truth that there are many lingering vulnerabilities in open-source software libraries, dormant bugs that the wider use of AI tools is likely to unearth at greater cadence in future.”In combination with the rapid improvement of large language models, it’s likely we’ll see the discovery of a plethora of bugs in the coming months, just as Anthropic’s Claude Opus 4.6 was able to find 500 high-severity zero-days,” Narang told CSO. “Some of those bugs may be exploited by threat actors, instead of being disclosed via coordination.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4132296/researchers-unearth-30-year-old-vulnerability-in-libpng-library.html
