Wiz
Vulnerability DatabaseCVE-2025-65018

CVE-2025-65018
Linux Debian vulnerability analysis and mitigation

Overview

CVE-2025-65018 is a heap buffer overflow vulnerability discovered in libpng versions 1.6.0 through 1.6.50. The vulnerability affects the libpng simplified API function pngimagefinish_read when processing 16-bit interlaced PNGs with 8-bit output format. The issue was discovered by security researcher yosiimich and was patched in libpng version 1.6.51, released on November 22, 2025 (Openwall List, GitHub Advisory).

Technical details

The vulnerability occurs when processing interlaced PNG images where the PNG header (IHDR) declares 16-bit color depth with Adam7 interlacing, while the application requests 8-bit output format. During interlaced image processing, the pngcombinerow function writes using 16-bit IHDR depth before transformation, causing writes beyond the buffer allocated via PNGIMAGESIZE(image). For example, with a 32×32 pixel image, when the input format is 16 bits/channel × 3 channels = 6144 bytes, but the output buffer is allocated for 8 bits/channel × 4 channels = 4096 bytes, this results in a 2048-byte overflow. The vulnerability has been assigned a CVSS score of 7.1 (High) (GitHub Advisory).

Impact

The vulnerability can lead to heap corruption with potential consequences including arbitrary code execution through heap metadata corruption, and denial of service through deterministic crashes. The impact is more severe with larger images - for example, a 256×256 pixel image can cause an overflow of 131,072 bytes (GitHub Advisory).

Mitigation and workarounds

The vulnerability was fixed in libpng version 1.6.51 through two consecutive commits. The final fix introduced an intermediate buffer specifically for the 16-to-8 bit conversion of interlaced images, while maintaining the fast path for non-interlaced images. Users are strongly advised to upgrade to libpng 1.6.51 or later. For those unable to upgrade immediately, a temporary workaround involves forcing 16-bit output format for interlaced 16-bit PNGs, though this is not officially supported and may break in future versions (GitHub Advisory, Openwall List).

Additional resources

SourceThis report was generated using AI

Related Linux Debian vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-65018HIGH7.1
  • Linux DebianLinux Debian
  • media-libs/libpng
NoYesNov 25, 2025
CVE-2025-64720HIGH7.1
  • Linux DebianLinux Debian
  • libpng1.6
NoYesNov 25, 2025
CVE-2025-59820MEDIUM6.7
  • Linux DebianLinux Debian
  • krita
NoYesNov 26, 2025
CVE-2025-64506MEDIUM6.1
  • Linux DebianLinux Debian
  • libpng
NoYesNov 25, 2025
CVE-2025-64505MEDIUM6.1
  • Linux DebianLinux Debian
  • libpng1.6
NoYesNov 25, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo