PT-2025-47829 · Libpng+7 · Libpng+7

Published

2025-05-26

·

Updated

2026-06-01

·

CVE-2025-64505

CVSS v3.1

6.1

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Name of the Vulnerable Software and Affected Versions libpng versions prior to 1.6.51 libpng1.6 versions prior to 1.6.39-2+deb12u1 libpng1.6 versions prior to 1.6.48-1+deb13u1 libpng12-0 versions prior to 1.6.52-alt1
Description LIBPNG is a library used for reading, creating, and manipulating PNG (Portable Network Graphics) raster image files. A heap buffer over-read issue exists in the png do quantize function when processing PNG files containing malformed palette indices. This occurs because the palette lookup array bounds are not validated against externally supplied image data. An attacker can craft a PNG file with out-of-range palette indices, leading to out-of-bounds memory access.
Recommendations Upgrade to libpng version 1.6.51 or later. Upgrade to libpng1.6 version 1.6.39-2+deb12u1 or later. Upgrade to libpng1.6 version 1.6.48-1+deb13u1 or later. Upgrade to libpng12-0 version 1.6.52-alt1 or later.

Exploit

Fix

DoS

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2026_0125
ALSA-2026_0241
ASB-A-463980379
AZL-70763
AZL-70844
AZL-70859
AZL-70862
AZL-70865
AZL-70880
AZL-70894
AZL-70906
AZL-70909
AZL-70918
AZL-70969
BDU:2026-02923
CVE-2025-64505
DLA-4396-1
DSA-6076-1
ECHO-1949-597A-9E78
GHSA-4952-H5WQ-4M42
MGASA-2025-0314
OESA-2025-2763
OPENSUSE-SU-2025:15781-1
OPENSUSE-SU-2025:15797-1
OPENSUSE-SU-2026:20017-1
RHSA-2026:6732
SUSE-SU-2025:21217-1
SUSE-SU-2025:21220-1
SUSE-SU-2025:4383-1
SUSE-SU-2025:4432-1
SUSE-SU-2025:4436-1
SUSE-SU-2025:4494-1
SUSE-SU-2025:4533-1
SUSE-SU-2025_4383-1
SUSE-SU-2026:0898-1
SUSE-SU-2026:20030-1
SUSE-SU-2026:20073-1
USN-7924-1
USN-8081-1

Affected Products

Alt Linux
Debian
Libpng
Linuxmint
Apple Macos
Red Os
Suse
Ubuntu