CVE-2025-28162

NameCVE-2025-28162
DescriptionBuffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpng1.6 (PTS)bullseye1.6.37-3vulnerable
bullseye (security)1.6.37-3+deb11u1vulnerable
bookworm, bookworm (security)1.6.39-2+deb12u1vulnerable
trixie (security), trixie1.6.48-1+deb13u1vulnerable
forky, sid1.6.54-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpng1.6source(unstable)(unfixed)

Notes

https://github.com/pnggroup/libpng/issues/656
https://github.com/pnggroup/libpng/pull/657
check, negligible impact
Search for package or bug name: Reporting problems