Overview
CVE-2025-64505 describes a heap buffer over-read vulnerability affecting libpng, the reference library for handling PNG (Portable Network Graphics) images. The vulnerability resides in the png_do_quantize function and can be triggered by processing specially crafted PNG files with malformed palette indices. This flaw allows attackers to potentially leak sensitive information or cause a denial-of-service.
Technical Details
The vulnerability stems from insufficient validation of palette indices within the png_do_quantize function. Specifically, the palette_lookup array bounds are not properly checked against externally supplied image data. An attacker can exploit this by crafting a PNG file containing out-of-range palette indices. When png_do_quantize attempts to access the palette_lookup array using these invalid indices, it results in an out-of-bounds memory access, leading to a heap buffer over-read.
This issue was identified and resolved in libpng version 1.6.51.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 6.1 (MEDIUM).
While the impact is not catastrophic, the ability to potentially leak sensitive information and the possibility of a denial-of-service make this a noteworthy security concern.
Possible Impact
- Information Leakage: An attacker might be able to read sensitive data from memory beyond the intended buffer.
- Denial of Service (DoS): The out-of-bounds memory access can cause the application using libpng to crash or become unresponsive.
Mitigation or Patch Steps
The recommended mitigation is to upgrade to libpng version 1.6.51 or later. This version contains the necessary patch to address the vulnerability.
If upgrading is not immediately feasible, consider implementing input validation to sanitize PNG files before processing them with libpng. However, relying solely on input validation is generally not a reliable long-term solution and upgrading libpng is strongly advised.
