EUVD-2025-201132
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Lifecycle Timeline
5Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
Analysis
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
Technical Context
An out-of-bounds memory access occurs when code reads from or writes to memory locations outside the intended buffer boundaries. This vulnerability is classified as Out-of-bounds Read (CWE-125).
Affected Products
Affected products: Libpng Libpng
Remediation
A vendor patch is available — apply it immediately. Implement proper bounds checking on all array and buffer accesses. Use memory-safe languages or static analysis tools to detect OOB issues.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| trusty | not-affected | code not present |
| xenial | not-affected | code not present |
| Release | Status | Version |
|---|---|---|
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| plucky | not-affected | code not present |
| questing | not-affected | code not present |
| upstream | needs-triage | - |
| Release | Status | Version |
|---|---|---|
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| questing | not-affected | code not present |
| Release | Status | Version |
|---|---|---|
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| plucky | not-affected | code not present |
| questing | not-affected | code not present |
| upstream | released | - |
| Release | Status | Version |
|---|---|---|
| upstream | released | 1.6.52-1 |
| jammy | released | 1.6.37-3ubuntu0.3 |
| noble | released | 1.6.43-5ubuntu0.3 |
| bionic | released | 1.6.34-1ubuntu0.18.04.2+esm2 |
| focal | released | 1.6.37-2ubuntu0.1~esm2 |
| xenial | released | 1.6.20-2ubuntu0.1~esm3 |
| plucky | released | 1.6.47-1.1ubuntu0.3 |
| questing | released | 1.6.50-1ubuntu0.3 |
Debian
Bug #1121877| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 1.6.37-3+deb11u1 | - |
| bullseye (security) | fixed | 1.6.37-3+deb11u2 | - |
| bookworm | fixed | 1.6.39-2+deb12u1 | - |
| bookworm (security) | fixed | 1.6.39-2+deb12u3 | - |
| trixie (security), trixie | fixed | 1.6.48-1+deb13u3 | - |
| forky, sid | fixed | 1.6.55-1 | - |
| trixie | fixed | 1.6.48-1+deb13u1 | - |
| (unstable) | fixed | 1.6.52-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today