CVE-2025-64506

NameCVE-2025-64506
DescriptionLIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4396-1, DSA-6076-1
Debian Bugs1121218

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpng1.6 (PTS)bullseye1.6.37-3vulnerable
bullseye (security)1.6.37-3+deb11u1fixed
bookworm1.6.39-2vulnerable
bookworm (security)1.6.39-2+deb12u1fixed
trixie1.6.48-1vulnerable
trixie (security)1.6.48-1+deb13u1fixed
forky1.6.52-1fixed
sid1.6.53-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpng1.6sourcebullseye1.6.37-3+deb11u1DLA-4396-1
libpng1.6sourcebookworm1.6.39-2+deb12u1DSA-6076-1
libpng1.6sourcetrixie1.6.48-1+deb13u1DSA-6076-1
libpng1.6source(unstable)1.6.51-11121218

Notes

https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6
https://github.com/pnggroup/libpng/pull/749
https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821 (v1.6.51)
https://www.openwall.com/lists/oss-security/2025/11/22/1
Search for package or bug name: Reporting problems