CVE-2025-65018: 
Linux Debian 脆弱性の分析と軽減

CVE-2025-65018 is a heap buffer overflow vulnerability discovered in libpng versions 1.6.0 through 1.6.50. The vulnerability affects the libpng simplified API function pngimagefinish_read when processing 16-bit interlaced PNGs with 8-bit output format. The issue was discovered by security researcher yosiimich and was patched in libpng version 1.6.51, released on November 22, 2025 (Openwall List, GitHub Advisory).

The vulnerability occurs when processing interlaced PNG images where the PNG header (IHDR) declares 16-bit color depth with Adam7 interlacing, while the application requests 8-bit output format. During interlaced image processing, the pngcombinerow function writes using 16-bit IHDR depth before transformation, causing writes beyond the buffer allocated via PNGIMAGESIZE(image). For example, with a 32×32 pixel image, when the input format is 16 bits/channel × 3 channels = 6144 bytes, but the output buffer is allocated for 8 bits/channel × 4 channels = 4096 bytes, this results in a 2048-byte overflow. The vulnerability has been assigned a CVSS score of 7.1 (High) (GitHub Advisory).

The vulnerability can lead to heap corruption with potential consequences including arbitrary code execution through heap metadata corruption, and denial of service through deterministic crashes. The impact is more severe with larger images - for example, a 256×256 pixel image can cause an overflow of 131,072 bytes (GitHub Advisory).

The vulnerability was fixed in libpng version 1.6.51 through two consecutive commits. The final fix introduced an intermediate buffer specifically for the 16-to-8 bit conversion of interlaced images, while maintaining the fast path for non-interlaced images. Users are strongly advised to upgrade to libpng 1.6.51 or later. For those unable to upgrade immediately, a temporary workaround involves forcing 16-bit output format for interlaced 16-bit PNGs, though this is not officially supported and may break in future versions (GitHub Advisory, Openwall List).