Out-of-Bounds Read Vulnerability in LIBPNG Affects Image Manipulation Capabilities
CVE-2025-64720

7.1HIGH

Key Information:

Vendor

Pnggroup

Status
Libpng
Vendor
CVE Published:
24 November 2025

What is CVE-2025-64720?

An out-of-bounds read vulnerability exists in the LIBPNG library that can be exploited when processing palette images with the PNG_FLAG_OPTIMIZE_ALPHA flag enabled. The vulnerability arises in the png_image_read_composite function, where inadequate background compositing during premultiplication violates strict invariants needed for proper image rendering, potentially leading to information disclosure and unpredictable behavior. This issue has been addressed in version 1.6.51 of the library, emphasizing the importance of using updated software versions for secure image processing.

Affected Version(s)

libpng >= 1.6.0, < 1.6.51

References

https://github.com/pnggroup/libpng/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pnggroup/libpng/issues/686
x_refsource_MISC
https://github.com/pnggroup/libpng/pull/751
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.