Hello, everyone, libpng 1.6.51 has been released to address four buffer overflow vulnerabilities discovered through fuzzing and security research. This release fixes two high-severity and two moderate-severity CVEs affecting libpng 1.6.0 through 1.6.50.
CVE-2025-64505 (CVSS 6.1, Moderate): Heap buffer over-read in png_do_quantize via malformed palette index. CVE-2025-64506 (CVSS 6.1, Moderate): Heap buffer over-read in png_write_image_8bit with 8-bit input and convert_to_8bit enabled. CVE-2025-64720 (CVSS 7.1, High): Out-of-bounds read in png_image_read_composite via palette premultiplication with PNG_FLAG_OPTIMIZE_ALPHA. CVE-2025-65018 (CVSS 7.1, High): Heap buffer overflow in png_combine_row triggered via png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. All vulnerabilities require user interaction (processing a malicious PNG file) and can result in information disclosure and/or denial of service. CVE-2025-65018 may enable arbitrary code execution via heap corruption in certain heap configurations. GitHub Security Advisories: - CVE-2025-64505: https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42 - CVE-2025-64506: https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6 - CVE-2025-64720: https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww - CVE-2025-65018: https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g Fixes: - CVE-2025-64505: https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37 - CVE-2025-64506: https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821 - CVE-2025-64720: https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 - CVE-2025-65018: https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea Note: CVE-2025-65018 requires both commits for correct remediation. Release: https://github.com/pnggroup/libpng/releases/tag/v1.6.51 Credit: Samsung-PENTEST (CVE-2025-64505, CVE-2025-64506, CVE-2025-64720), weijinjinnihao (CVE-2025-64506), yosiimich (CVE-2025-65018), with analysis by Fabio Gritti and John Bowler. Users should upgrade to libpng 1.6.51 immediately. Cosmin Truta libpng maintainer
