Cybersecurity Vulnerabilities

CVE-2025-64506: Critical Heap Buffer Over-Read Vulnerability in LIBPNG – Upgrade to 1.6.51 Immediately!

November 25, 2025 - By 

Overview

CVE-2025-64506 is a medium-severity heap buffer over-read vulnerability affecting LIBPNG, the widely used library for handling PNG image files. Specifically, versions 1.6.0 through 1.6.50 are susceptible. The vulnerability resides in the png_write_image_8bit function when processing 8-bit images through the simplified write API with the convert_to_8bit option enabled. This can lead to denial-of-service or potentially other security consequences.

The vulnerability was published on 2025-11-25T00:15:47.300.

Technical Details

The vulnerability arises because a conditional guard within the png_write_image_8bit function incorrectly allows 8-bit input data to enter code that expects 16-bit input. When processing 8-bit grayscale+alpha, RGB/RGBA images, or images with incomplete row data, this mismatch can cause the function to read up to 2 bytes beyond the boundaries of allocated heap buffers. This out-of-bounds read can lead to crashes, data leaks, or potentially allow attackers to craft malicious PNG images that trigger unexpected behavior.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-64506 is 6.1 (Medium).

This score reflects the potential for exploitation and the impact on affected systems. While not critical, the vulnerability can still be exploited and requires prompt attention.

Possible Impact

Successful exploitation of CVE-2025-64506 could lead to:

  • Denial of Service (DoS): A malicious PNG image could crash applications using the vulnerable LIBPNG library.
  • Information Disclosure: The heap buffer over-read could potentially expose sensitive data from memory.
  • Potential for Further Exploitation: While not explicitly demonstrated, the out-of-bounds read could, in some circumstances, be chained with other vulnerabilities for more severe impact.

Mitigation / Patch Steps

The vulnerability has been patched in LIBPNG version 1.6.51. The recommended mitigation is to upgrade to version 1.6.51 or later as soon as possible.

  1. Identify Affected Systems: Determine which systems are using LIBPNG versions 1.6.0 through 1.6.50.
  2. Upgrade LIBPNG: Upgrade LIBPNG to version 1.6.51 or later. This may involve updating system packages, recompiling applications that use LIBPNG, or replacing LIBPNG libraries in specific deployments.
  3. Verify the Update: After upgrading, verify that the new version of LIBPNG is in use and that the vulnerability is no longer present.
  4. Monitor for Updates: Stay informed about future LIBPNG updates and security advisories.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *