CVE-2025-64505: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-64505 is a heap buffer over-read vulnerability discovered in LIBPNG, a reference library for handling PNG (Portable Network Graphics) image files. The vulnerability affects versions prior to 1.6.51 and was discovered through fuzzing and security research. The issue exists in libpng's pngdoquantize function when processing PNG files with malformed palette indices (GitHub Advisory, Debian Tracker).

The vulnerability occurs when palettelookup array bounds are not validated against externally-supplied image data in the pngdoquantize function. The pngsetquantize function allocates the quantizeindex array based on numpalette from the PNG file, but pngdoquantize trusts external pixel data as valid indices without validation. When numpalette is small (e.g., 4) but pixel data contains indices up to 255, this results in reading up to 251 bytes beyond the allocated buffer. The vulnerability has been assigned a CVSS score of 6.1 (Moderate) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H (GitHub Advisory).

The vulnerability can lead to information disclosure through heap memory leakage and denial of service through application crashes. The exploitation requires user interaction in the form of processing a maliciously crafted PNG file (OpenWall).

The vulnerability has been fixed in libpng version 1.6.51. The fix involves allocating the quantizeindex array to PNGMAXPALETTELENGTH (256 bytes) instead of numpalette bytes, matching the allocation pattern for palette[], transalpha[], and riffled_palette[]. This prevents buffer overflows from malformed PNG files with out-of-range palette indices. Users are advised to upgrade to libpng 1.6.51 immediately (OpenWall).