CVE-2025-64505
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-11-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libpng | libpng | to 1.6.51 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap buffer over-read in the libpng library's png_do_quantize function. It happens when processing PNG files that have malformed palette indices. Specifically, the function does not properly check the bounds of the palette_lookup array against the image data, allowing an attacker to craft a PNG file with out-of-range palette indices that cause out-of-bounds memory access.
How can this vulnerability impact me? :
The vulnerability can lead to out-of-bounds memory access, which may cause a program using libpng to crash or behave unpredictably. This can result in denial of service or potentially allow an attacker to read sensitive memory contents, depending on the context in which libpng is used.
What immediate steps should I take to mitigate this vulnerability?
Update libpng to version 1.6.51 or later, as this version contains the patch for the heap buffer over-read vulnerability in the png_do_quantize function. Avoid processing untrusted or malformed PNG files until the update is applied.