CVE-2025-28162 – A buffer overflow vulnerability in libpng versi... (How to Fix)

Q: What is the severity of CVE-2025-28162?

CVE-2025-28162 has a CVSS score of 5.5 (MEDIUM). A buffer overflow vulnerability in libpng versions 1.6.43 through 1.6.46 allows local attackers to cause denial of service through memory exhaustion. The vulnerability affects applications that process PNG images using these vulnerable libpng versions. This primarily impacts systems where untrusted users can submit PNG files for processing.

📋 TL;DR

A buffer overflow vulnerability in libpng versions 1.6.43 through 1.6.46 allows local attackers to cause denial of service through memory exhaustion. The vulnerability affects applications that process PNG images using these vulnerable libpng versions. This primarily impacts systems where untrusted users can submit PNG files for processing.

💻 Affected Systems

Products:

libpng
Applications using libpng library

Versions: 1.6.43 through 1.6.46

Operating Systems: Linux, Windows, macOS, BSD, All platforms using libpng

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability manifests when AddressSanitizer (ASan) is enabled, but the underlying buffer overflow exists regardless

📦 What is this software?

Libpng by Libpng

View all CVEs affecting Libpng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unresponsiveness due to memory exhaustion, potentially affecting all applications using libpng on the system

🟠

Likely Case

Application crashes or becomes unresponsive when processing malicious PNG files, leading to service disruption

🟢

If Mitigated

Minimal impact with proper input validation and memory limits in place

🌐 Internet-Facing: MEDIUM - Web applications accepting PNG uploads could be targeted, but requires specific conditions

🏢 Internal Only: LOW - Requires local access and ability to trigger PNG processing

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and ability to trigger PNG processing. Proof of concept available in GitHub references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libpng 1.6.47 or later

Vendor Advisory: https://github.com/pnggroup/libpng/issues/656

Restart Required: Yes

Instructions:

1. Update libpng to version 1.6.47 or later. 2. For Linux: Use package manager (apt-get upgrade libpng, yum update libpng, etc.). 3. For Windows: Download updated version from libpng.org. 4. Recompile applications using libpng. 5. Restart affected services.

🔧 Temporary Workarounds

Disable PNG processing

all

Temporarily disable PNG image processing in vulnerable applications

Application-specific configuration changes

Implement memory limits

linux

Set memory usage limits for applications using libpng

ulimit -v [memory_limit_in_kb] (Linux)
Set process memory limits via system configuration

🧯 If You Can't Patch

Implement strict input validation for PNG files
Isolate applications using libpng in containers with resource limits

🔍 How to Verify

Check if Vulnerable:

Check libpng version: pngcrush -version or check package manager. Versions 1.6.43-1.6.46 are vulnerable.

Check Version:

pngcrush -version 2>&1 | grep libpng || dpkg -l | grep libpng || rpm -qa | grep libpng

Verify Fix Applied:

Verify libpng version is 1.6.47 or later. Test with known malicious PNG samples.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing PNG files
High memory usage alerts
AddressSanitizer error messages

Network Indicators:

Unusual PNG file uploads to web applications

SIEM Query:

source="application_logs" AND ("libpng" OR "png") AND ("crash" OR "memory" OR "asan")

📊 Metadata

CVE ID: CVE-2025-28162

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

EPSS Score: 0.01% exploit probability (2.1th percentile)

Published: January 27, 2026

Last Updated: February 6, 2026

🔗 References

https://gist.github.com/kittener/fbfdb9b5610c6b3db0d5dea045a07c60 Third Party Advisory
https://github.com/pnggroup/libpng/issues/656 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28162, you might also want to check these: