Debian: libpng Critical DoS Update DLA-4396-1 CVE-2025-64505
debian lts
December 7, 2025
Multiple vulnerabilties have been found in libpng, the official PNG reference library, allowing information disclosure via out-of-bounds read, denial of service via application cra...
Topics Covered
Summary
CVE-2025-64505
Heap buffer over-read in png_do_quantize via malformed palette index.
CVE-2025-64506
Heap buffer over-read in png_write_image_8bit
CVE-2025-64720
Buffer overflow in png_image_read_composite via incorrect palette
premultiplication
CVE-2025-65018
Heap buffer overflow in png_combine_row triggered via
png_image_finish_read
CVE-2025-66293
An out-of-bounds read vulnerability in libpng's simplified API allows
reading up to 1012 bytes beyond the png_sRGB_base[512] array when
processing palette PNG images with partial transparency and gamma
correction
For Debian 11 bullseye, these problems have been fixed in version
1.6.37-3+deb11u1.
We recommend that you upgrade your libpng1.6 packages.
For the detailed security status of libpng1.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/libpng1.6
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libpng1.6
Version: 1.6.37-3+deb11u1
CVE ID: CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018
Debian Bug: 1121216 1121217 1121218 1121219 1121877
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!