Vulnerability Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libpng | Libpng | >= 1.6.0, < 1.6.51 |
Related Weaknesses (CWE)
References
- https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496aPatch
- https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1Patch
- https://github.com/pnggroup/libpng/issues/755ExploitIssue Tracking
- https://github.com/pnggroup/libpng/pull/757Issue Tracking
- https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3gExploitVendor Advisory
- https://github.com/pnggroup/libpng/issues/755ExploitIssue Tracking
- https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3gExploitVendor Advisory
FAQ
What is CVE-2025-65018?
CVE-2025-65018 is a vulnerability with a CVSS score of 7.1 (HIGH). LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer ...
How severe is CVE-2025-65018?
CVE-2025-65018 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-65018?
Check the references section above for vendor advisories and patch information. Affected products include: Libpng Libpng.