CVE-2025-66293
BaseFortify
Publication date: 2025-12-03
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libpng | libpng | to 1.6.52 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds read in the libpng library's simplified API prior to version 1.6.52. It occurs when processing valid palette PNG images that have partial transparency and gamma correction. The bug allows reading up to 1012 bytes beyond the intended png_sRGB_base[512] array due to an internal state management error in libpng.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized reading of memory beyond the intended buffer, potentially exposing sensitive information. According to the CVSS score, it has a low impact on confidentiality, no impact on integrity, but a high impact on availability, meaning it could cause application crashes or denial of service when processing malicious PNG files.
What immediate steps should I take to mitigate this vulnerability?
Upgrade libpng to version 1.6.52 or later to fix the out-of-bounds read vulnerability.