Unrated severityNVD Advisory· Published Dec 3, 2025· Updated Dec 4, 2025
LIBPNG has an out-of-bounds read in png_image_read_composite
CVE-2025-66293
Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1mitrex_refsource_MISC
- github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484amitrex_refsource_MISC
- github.com/pnggroup/libpng/issues/764mitrex_refsource_MISC
- github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4fmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.