VDB
DEBIAN-CVE-2025-66293
DEBIAN-CVE-2025-66293
PUBLISHED
CVSS 7.099999904632568 HIGH
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
Risk Scores
CVSS 3.1
7.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | libpng1.6 | 1.6.50-1, 1.6.50-1, 1.6.51-1 |
| Debian:12 | libpng1.6 | 0, 1.6.39-2, 0 |
| Debian:13 | libpng1.6 | 0, 0, 1.6.48-1 |
| Debian:11 | libpng1.6 | 0, 1.6.37-3, 0 |
Exploit Intelligence
- pngread.c (github-poc)
- seen_cves.json (github-poc)
- install.py (github-poc)
Timeline
- Dec 3, 2025 CVE Published
- Apr 28, 2026 CVE Updated