CVE-2025-64720: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-64720 is an out-of-bounds read vulnerability affecting LIBPNG, a reference library for handling PNG (Portable Network Graphics) image files. The vulnerability exists in versions 1.6.0 through 1.6.50, specifically in the pngimagereadcomposite function when processing palette images with PNGFLAGOPTIMIZEALPHA enabled. The issue was discovered in November 2025 and has been patched in version 1.6.51 (Debian Security, GitHub Advisory).

The vulnerability occurs when the palette compositing code in pnginitreadtransformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. The calculation produces component values up to 16,776,960 (0x1000800), where (component >> 15) == 512, leading to out-of-bounds array access in pngsRGBbase and pngsRGB_delta arrays which only have indices 0-511. The vulnerability has been assigned a CVSS score of 7.1 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H (GitHub Advisory).

The vulnerability can lead to information disclosure through out-of-bounds read of adjacent memory (CWE-125) and potential denial of service through application crashes. The exploitation requires user interaction in the form of processing a malicious PNG file (OSS Security).

The vulnerability has been patched in libpng version 1.6.51. The fix introduces conditional behavior in pnginitreadtransformations based on PNGFLAGOPTIMIZEALPHA, ensuring component ≤ (alpha × 257) and guaranteeing (component >> 15) ≤ 1, which keeps values within valid array bounds. No practical workaround is available, and users are advised to upgrade to version 1.6.51 or newer (GitHub PR, GitHub Advisory).