CVE-2025-64506: 
Linux Debian vulnerability analysis and mitigation

A heap buffer over-read vulnerability (CVE-2025-64506) was discovered in libpng versions 1.6.0 to before 1.6.51. The vulnerability exists in the pngwriteimage8bit function when processing 8-bit images through the simplified write API with convertto_8bit enabled. This affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. The issue was patched in version 1.6.51 released in November 2025 (GitHub Advisory, OSS Security).

The vulnerability stems from a conditional guard that incorrectly allows 8-bit input to enter code expecting 16-bit input. The vulnerable condition in pngwrite.c failed to verify that input was 16-bit (linear != 0), contradicting the intended functionality. When a buffer of N bytes is treated as N/2 uint16 values, reads extend up to 2 bytes beyond allocated buffer boundaries. The vulnerability has been assigned a CVSS score of 6.1 (Moderate) with attack vector: Local, attack complexity: Low, and user interaction: Required (GitHub Advisory).

The vulnerability can lead to information disclosure through heap memory leakage and potential denial of service through application crashes. The exploitation requires user interaction in the form of processing a malicious PNG file (OSS Security).

The vulnerability has been fixed in libpng version 1.6.51. The fix restructures the condition to ensure both the alpha path and the convertto8bit path require linear (16-bit) input, preventing 8-bit buffers from being treated as 16-bit data. Users are advised to upgrade to libpng 1.6.51 immediately (OSS Security, GitHub Commit).