CVE-2025-66293 – CVE-2025-66293 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2025-66293?

CVE-2025-66293 has a CVSS score of 7.1 (HIGH). CVE-2025-66293 is an out-of-bounds read vulnerability in libpng's simplified API that allows reading up to 1012 bytes beyond allocated memory when processing valid PNG images with specific characteristics. This affects applications using libpng versions prior to 1.6.52 to process PNG files, potentially exposing sensitive memory contents. The vulnerability is triggered by valid PNG files per specification, making detection difficult.

📋 TL;DR

CVE-2025-66293 is an out-of-bounds read vulnerability in libpng's simplified API that allows reading up to 1012 bytes beyond allocated memory when processing valid PNG images with specific characteristics. This affects applications using libpng versions prior to 1.6.52 to process PNG files, potentially exposing sensitive memory contents. The vulnerability is triggered by valid PNG files per specification, making detection difficult.

💻 Affected Systems

Products:

libpng
Applications using libpng library

Versions: libpng versions prior to 1.6.52

Operating Systems: All operating systems using vulnerable libpng versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects simplified API usage with palette PNG images containing partial transparency and gamma correction.

📦 What is this software?

Libpng by Libpng

View all CVEs affecting Libpng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of up to 1012 bytes of adjacent heap memory, potentially exposing sensitive data like passwords, keys, or application state.

🟠

Likely Case

Application crash or denial of service due to invalid memory access, with possible limited information leakage.

🟢

If Mitigated

Minimal impact with proper memory isolation and ASLR, though some information disclosure may still occur.

🌐 Internet-Facing: MEDIUM - PNG processing is common in web applications and image uploads, but exploitation requires specific PNG characteristics.

🏢 Internal Only: LOW - Requires processing malicious PNG files, which is less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific PNG files that trigger the out-of-bounds read condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libpng 1.6.52

Vendor Advisory: https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f

Restart Required: Yes

Instructions:

1. Download libpng 1.6.52 or later from official sources. 2. Compile and install the updated library. 3. Recompile any applications using libpng against the new version. 4. Restart affected services and applications.

🔧 Temporary Workarounds

Disable simplified API

all

Avoid using libpng's simplified API functions that trigger this vulnerability

Input validation

all

Reject PNG files with palette color type and partial transparency before processing

🧯 If You Can't Patch

Implement strict input validation to reject suspicious PNG files
Isolate PNG processing in sandboxed environments with limited memory access

🔍 How to Verify

Check if Vulnerable:

Check libpng version with 'pngcrush -version' or examine library files for version strings

Check Version:

pngcrush -version 2>&1 | grep -i libpng

Verify Fix Applied:

Verify installed libpng version is 1.6.52 or higher using version checking commands

📡 Detection & Monitoring

Log Indicators:

Application crashes during PNG processing
Memory access violation errors
Unexpected termination of image processing services

Network Indicators:

Multiple PNG upload attempts with specific characteristics
Unusual PNG file sizes or structures

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "access violation" OR "libpng") AND "png"

📊 Metadata

CVE ID: CVE-2025-66293

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

CWE: CWE-125

EPSS Score: 0.08% exploit probability (24th percentile)

Published: December 3, 2025

Last Updated: December 16, 2025

🔗 References

https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1 Patch
https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a Patch
https://github.com/pnggroup/libpng/issues/764 Exploit,Issue Tracking,Patch
https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f Exploit,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/03/6 Mailing List
http://www.openwall.com/lists/oss-security/2025/12/03/7 Mailing List
http://www.openwall.com/lists/oss-security/2025/12/03/8 Mailing List
https://github.com/pnggroup/libpng/issues/764 Exploit,Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66293, you might also want to check these: