CVE-2025-64720

NameCVE-2025-64720
DescriptionLIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4396-1, DSA-6076-1
Debian Bugs1121217

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpng1.6 (PTS)bullseye1.6.37-3vulnerable
bullseye (security)1.6.37-3+deb11u1fixed
bookworm1.6.39-2vulnerable
bookworm (security)1.6.39-2+deb12u1fixed
trixie1.6.48-1vulnerable
trixie (security)1.6.48-1+deb13u1fixed
forky1.6.52-1fixed
sid1.6.53-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpng1.6sourcebullseye1.6.37-3+deb11u1DLA-4396-1
libpng1.6sourcebookworm1.6.39-2+deb12u1DSA-6076-1
libpng1.6sourcetrixie1.6.48-1+deb13u1DSA-6076-1
libpng1.6source(unstable)1.6.51-11121217

Notes

https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww
https://github.com/pnggroup/libpng/issues/686
https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 (v1.6.51)
https://www.openwall.com/lists/oss-security/2025/11/22/1
Search for package or bug name: Reporting problems