DEBIAN-CVE-2025-28162

DEBIAN-CVE-2025-28162 PUBLISHED CVSS 5.5 MEDIUM

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive

Risk Scores

CVSS 3.1

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:14	libpng1.6	0, 0
Debian:12	libpng1.6	1.6.39-2+deb12u2, 1.6.39-2, 1.6.39-2+deb12u4
Debian:11	libpng1.6	1.6.46-1, 1.6.43-3, 1.6.43-2
Debian:13	libpng1.6	0, 0

Exploit Intelligence

dockerscan.yml (github-poc)
install.py (github-poc)

Timeline

Jan 27, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-28162 advisory

Open in Interactive Console →