CVE-2025-64505

NameCVE-2025-64505
DescriptionLIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4396-1, DSA-6076-1
Debian Bugs1121219

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpng1.6 (PTS)bullseye1.6.37-3vulnerable
bullseye (security)1.6.37-3+deb11u1fixed
bookworm1.6.39-2vulnerable
bookworm (security)1.6.39-2+deb12u1fixed
trixie1.6.48-1vulnerable
trixie (security)1.6.48-1+deb13u1fixed
forky1.6.52-1fixed
sid1.6.53-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpng1.6sourcebullseye1.6.37-3+deb11u1DLA-4396-1
libpng1.6sourcebookworm1.6.39-2+deb12u1DSA-6076-1
libpng1.6sourcetrixie1.6.48-1+deb13u1DSA-6076-1
libpng1.6source(unstable)1.6.51-11121219

Notes

https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42
https://github.com/pnggroup/libpng/pull/748
https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37 (v1.6.51)
https://www.openwall.com/lists/oss-security/2025/11/22/1
Search for package or bug name: Reporting problems