Medium

Heap buffer over-read in libpng png_do_quantize

IdentifiersCVE-2025-64505CWE-125· Out-of-bounds Read

CVE-2025-64505 is a heap buffer over-read in libpng prior to version 1.6.51. The flaw is in the png_do_quantize function when processing PNG images containing malformed palette indices. According to the provided context, libpng does not properly validate palette_lookup array bounds against externally supplied image data, allowing crafted out-of-range palette indices to trigger out-of-bounds memory access during quantization. Apple advisories describe the issue in downstream ImageIO-affected products as processing a maliciously crafted file leading to unexpected app termination. The issue is patched in libpng 1.6.51.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause out-of-bounds reads from heap memory while a vulnerable application processes a crafted PNG file. The confirmed downstream impact in the provided advisories is denial of service via unexpected application or process termination. The broader Debian advisory for the libpng vulnerability set notes that libpng issues of this class could also contribute to information disclosure and potentially arbitrary code execution, but for CVE-2025-64505 specifically the provided context directly supports crash/DoS and possible memory disclosure from over-read behavior, not confirmed code execution.

Mitigation

If you can’t patch tonight, do this now.

Until patches can be applied, avoid processing untrusted or externally supplied PNG files in applications linked against vulnerable libpng versions. Reduce attack surface by disabling or restricting PNG parsing paths where feasible, sandboxing image-processing components, and filtering or validating uploaded image content before it reaches libpng-based processing. Monitor for crashes or anomalous behavior associated with malformed PNG inputs.

Remediation

Patch, then assume compromise.

Upgrade libpng to version 1.6.51 or later. For Debian-based systems, apply the vendor-provided fixed packages referenced in the context: libpng1.6 version 1.6.39-2+deb12u1 for bookworm or 1.6.48-1+deb13u1 for trixie, as provided by Debian's security update bundle addressing this CVE set. For Apple platforms, apply the relevant OS security updates that incorporate the upstream fix through ImageIO/open-source component updates.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LibpngLibpngapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app

apple supportNews

Apr 1, 2026

About the security content of iOS 18.7.7 and iPadOS 18.7.7 - Apple Support

A third-party open source vulnerability that may cause unexpected app termination when processing a maliciously crafted file.

apple supportNews

Mar 24, 2026

About the security content of macOS Sequoia 15.7.5 - Apple Support (CA)

An open source vulnerability affecting Apple software on macOS Sequoia that may lead to unexpected app termination when parsing a maliciously crafted file.

samsung mobile securityNews

Jan 17, 2022

Security Updates Firmware Updates | Samsung Mobile Security

A critical Android Security Bulletin vulnerability patched by Samsung in the April 2026 Security Maintenance Release.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity22

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-64505

NVD

nvd.nist.gov/vuln/detail/CVE-2025-64505

MITRE CWE · CWE-125

Out-of-bounds Read

Patch

github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37

Vendor Advisory

github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42

Issue Tracking

github.com/pnggroup/libpng/pull/748