CVE-2025-64720

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in pngimagereadcomposite when processing palette images with PNGFLAGOPTIMIZEALPHA enabled. The palette compositing code in pnginitread_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64720.json",
    "cwe_ids": [
        "CWE-125"
    ]
}

References

Affected packages

Git / github.com/glennrp/libpng

Affected ranges

Type

GIT

Repo

https://github.com/glennrp/libpng

Events

Introduced

c53778ff53a73ad2d676602f5dc7019566be5058

Fixed

49363adcfaf098748d7a4c8c624ad8c45a8c3a86

Database specific

{
    "versions": [
        {
            "introduced": "1.6.0"
        },
        {
            "fixed": "1.6.51"
        }
    ]
}

Affected versions

libpng-1.*

libpng-1.6.10-signed

libpng-1.6.11-signed

libpng-1.6.12-signed

libpng-1.6.13-signed

libpng-1.6.14-signed

libpng-1.6.15-signed

libpng-1.6.16-signed

libpng-1.6.17-signed

libpng-1.6.18-signed

libpng-1.6.2-signed

libpng-1.6.20-signed

libpng-1.6.21-signed

libpng-1.6.23-signed

libpng-1.6.24-signed

libpng-1.6.25-signed

libpng-1.6.26-signed

libpng-1.6.29-signed

libpng-1.6.3-signed

libpng-1.6.30-master-signed

libpng-1.6.30-signed

libpng-1.6.31-master-signed

libpng-1.6.31-signed

libpng-1.6.4-signed

libpng-1.6.7-signed

libpng-1.6.8-signed

libpng-1.6.9-signed

v1.*

v1.6.0

v1.6.1

v1.6.10

v1.6.10beta01

v1.6.10beta02

v1.6.10rc01

v1.6.10rc02

v1.6.10rc03

v1.6.11

v1.6.11beta01

v1.6.11beta02

v1.6.11beta03

v1.6.11beta04

v1.6.11beta05

v1.6.11beta06

v1.6.11rc01

v1.6.11rc02

v1.6.12

v1.6.12rc01

v1.6.12rc02

v1.6.12rc03

v1.6.13

v1.6.13beta01

v1.6.13beta02

v1.6.13beta03

v1.6.13beta04

v1.6.13rc01

v1.6.14

v1.6.14beta01

v1.6.14beta02

v1.6.14beta03

v1.6.14beta04

v1.6.14beta05

v1.6.14beta06

v1.6.14beta07

v1.6.14rc01

v1.6.14rc02

v1.6.15

v1.6.15beta01

v1.6.15beta02

v1.6.15beta03

v1.6.15beta04

v1.6.15beta05

v1.6.15beta06

v1.6.15beta07

v1.6.15beta08

v1.6.15rc01

v1.6.15rc02

v1.6.15rc03

v1.6.16

v1.6.16beta01

v1.6.16beta02

v1.6.16beta03

v1.6.16rc01

v1.6.16rc02

v1.6.16rc03

v1.6.17

v1.6.17beta01

v1.6.17beta02

v1.6.17beta03

v1.6.17beta04

v1.6.17beta05

v1.6.17rc01

v1.6.17rc02

v1.6.17rc03

v1.6.17rc04

v1.6.17rc05

v1.6.17rc06

v1.6.18

v1.6.18beta01

v1.6.18beta02

v1.6.18beta03

v1.6.18beta04

v1.6.18beta05

v1.6.18beta06

v1.6.18beta07

v1.6.18beta08

v1.6.18beta09

v1.6.18rc01

v1.6.18rc02

v1.6.18rc03

v1.6.19

v1.6.19beta01

v1.6.19beta02

v1.6.19beta03

v1.6.19beta04

v1.6.19rc01

v1.6.19rc02

v1.6.19rc03

v1.6.19rc04

v1.6.1beta01

v1.6.1beta02

v1.6.1beta03

v1.6.1beta04

v1.6.1beta05

v1.6.1beta06

v1.6.1beta07

v1.6.1beta08

v1.6.1beta09

v1.6.1rc01

v1.6.2

v1.6.20beta01

v1.6.20beta02

v1.6.20beta03

v1.6.20rc01

v1.6.20rc02

v1.6.21

v1.6.21beta01

v1.6.21beta02

v1.6.21beta03

v1.6.21rc01

v1.6.21rc02

v1.6.22

v1.6.22beta01

v1.6.22beta02

v1.6.22beta05

v1.6.22beta06

v1.6.22rc01

v1.6.22rc02

v1.6.22rc03

v1.6.23

v1.6.23beta01

v1.6.23rc01

v1.6.23rc02

v1.6.24

v1.6.24beta02

v1.6.24beta03

v1.6.24beta04

v1.6.24beta05

v1.6.24beta06

v1.6.24rc01

v1.6.24rc02

v1.6.24rc03

v1.6.25

v1.6.25beta02

v1.6.25rc04

v1.6.26

v1.6.26beta01

v1.6.26beta02

v1.6.26beta03

v1.6.26beta04

v1.6.26beta05

v1.6.26beta06

v1.6.26rc01

v1.6.27beta01

v1.6.29

v1.6.29beta02

v1.6.29beta03

v1.6.29rc01

v1.6.2beta01

v1.6.2beta02

v1.6.2rc01

v1.6.2rc02

v1.6.2rc03

v1.6.2rc04

v1.6.2rc05

v1.6.2rc06

v1.6.3

v1.6.30

v1.6.30beta01

v1.6.30beta02

v1.6.30beta03

v1.6.30beta04

v1.6.30rc01

v1.6.31

v1.6.31beta01

v1.6.31beta02

v1.6.31beta03

v1.6.31beta04

v1.6.31beta05

v1.6.31beta06

v1.6.31beta07

v1.6.31rc01

v1.6.31rc02

v1.6.32

v1.6.32beta01

v1.6.32beta02

v1.6.32beta03

v1.6.32beta05

v1.6.32beta06

v1.6.32beta07

v1.6.32beta08

v1.6.32beta09

v1.6.32beta10

v1.6.32beta11

v1.6.32rc01

v1.6.32rc02

v1.6.33

v1.6.33beta01

v1.6.33beta02

v1.6.33beta03

v1.6.33rc01

v1.6.33rc02

v1.6.34

v1.6.35

v1.6.35beta01

v1.6.36

v1.6.37

v1.6.38

v1.6.39

v1.6.3beta01

v1.6.3beta02

v1.6.3beta03

v1.6.3beta04

v1.6.3beta05

v1.6.3beta06

v1.6.3beta07

v1.6.3beta08

v1.6.3beta09

v1.6.3beta10

v1.6.3rc01

v1.6.4

v1.6.40

v1.6.41

v1.6.42

v1.6.43

v1.6.44

v1.6.45

v1.6.46

v1.6.47

v1.6.48

v1.6.49

v1.6.4beta02

v1.6.4rc01

v1.6.5

v1.6.50

v1.6.6

v1.6.7

v1.6.7beta01

v1.6.7beta02

v1.6.7beta03

v1.6.7beta04

v1.6.7rc01

v1.6.7rc02

v1.6.8

v1.6.8beta01

v1.6.8beta02

v1.6.8rc02

v1.6.9

v1.6.9beta01

v1.6.9beta02

v1.6.9beta03

v1.6.9rc01

v1.6.9rc02

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64720.json"

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "166375070723291529406421301066248769034",
                "275647010778297936193963675511576832388",
                "256826767335212246520616614652191899280",
                "279336807821086835335477021495116274772",
                "289998086382119027680343151146219735692",
                "127562272222925286109814353033687270978",
                "25813353444574047506367402039418644046",
                "253582453789718568595455958296774742498"
            ]
        },
        "target": {
            "file": "png.h"
        },
        "deprecated": false,
        "id": "CVE-2025-64720-1ff2fa39",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "156580915294223224015440899088615326697",
                "218405736567565762721805663647781263162",
                "85662020663482796805838288188511316315",
                "230686006833406113235008350425423979914",
                "260919417129355689179955630465652050316",
                "95506800799202743812829450076592490423"
            ]
        },
        "id": "CVE-2025-64720-485b33da",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86",
        "target": {
            "file": "png.c"
        }
    },
    {
        "source": "https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86",
        "target": {
            "function": "png_get_copyright",
            "file": "png.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2025-64720-a8777218",
        "digest": {
            "length": 481.0,
            "function_hash": "308839484675692000161271595223156832928"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "52540900908244694562855646578057113774",
                "200219053898519147474761570586990540810",
                "23871324486584156747326023564743243101",
                "63048311541359152088830007041723625585"
            ]
        },
        "target": {
            "file": "pngtest.c"
        },
        "deprecated": false,
        "id": "CVE-2025-64720-e1a15be6",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86"
    }
]

vanir_signatures_modified

"2026-04-12T19:16:08Z"

Git / github.com/pnggroup/libpng