CVE-2025-64720

Name of the Vulnerable Software and Affected Versions libpng versions 1.6.0 through 1.6.50 libpng1.6 (affected versions not specified)

Description The libpng PNG library contains a flaw that could lead to information leaks, denial of service, or potentially the execution of arbitrary code when processing specially crafted images. The issue is an out-of-bounds read vulnerability in the png image read composite function when processing palette images with the PNG FLAG OPTIMIZE ALPHA flag enabled. The vulnerability stems from incorrect background compositing during premultiplication within the png init read transformations function, violating a required component invariant.

Recommendations Upgrade libpng1.6 packages to version 1.6.39-2+deb12u1 for Debian bookworm. Upgrade libpng1.6 packages to version 1.6.48-1+deb13u1 for Debian trixie. Upgrade libpng to version 1.6.51 or later.