CVE-2025-64506
Public on 2025-11-25
Modified on 2025-11-25
Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Firefox Extra | firefox | 2025-12-08 | ALAS2FIREFOX-2025-048 | Fixed |
| Amazon Linux 2023 | firefox | 2025-12-08 | ALAS2023-2025-1305 | Fixed |
| Amazon Linux 2 - Core | libpng | Pending Fix | ||
| Amazon Linux 2023 | libpng | 2025-12-08 | ALAS2023-2025-1306 | Fixed |
| Amazon Linux 2 - Core | libpng12 | Not Affected | ||
| Amazon Linux 2 - Core | thunderbird | 2025-12-08 | ALAS2-2025-3091 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H |