{"id":"CVE-2025-64720","summary":"LIBPNG is vulnerable to a buffer overflow in `png_image_read_composite` via incorrect palette premultiplication","details":"LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.","aliases":["GHSA-hfc7-ph9c-wcww"],"modified":"2026-04-16T04:35:43.963779045Z","published":"2025-11-24T23:45:38.315Z","related":["ALSA-2026:0125","ALSA-2026:0237","ALSA-2026:0238","ALSA-2026:0241","ALSA-2026:0927","ALSA-2026:0928","ALSA-2026:0932","ALSA-2026:0933","SUSE-SU-2025:21217-1","SUSE-SU-2025:21220-1","SUSE-SU-2025:4436-1","SUSE-SU-2025:4494-1","SUSE-SU-2025:4533-1","SUSE-SU-2026:20030-1","SUSE-SU-2026:20073-1","openSUSE-SU-2025:15781-1","openSUSE-SU-2026:20017-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64720.json","cwe_ids":["CWE-125"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64720.json"},{"type":"ADVISORY","url":"https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64720"},{"type":"REPORT","url":"https://github.com/pnggroup/libpng/issues/686"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/pull/751"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/glennrp/libpng","events":[{"introduced":"c53778ff53a73ad2d676602f5dc7019566be5058"},{"fixed":"49363adcfaf098748d7a4c8c624ad8c45a8c3a86"}],"database_specific":{"versions":[{"introduced":"1.6.0"},{"fixed":"1.6.51"}]}}],"versions":["libpng-1.6.10-signed","libpng-1.6.11-signed","libpng-1.6.12-signed","libpng-1.6.13-signed","libpng-1.6.14-signed","libpng-1.6.15-signed","libpng-1.6.16-signed","libpng-1.6.17-signed","libpng-1.6.18-signed","libpng-1.6.2-signed","libpng-1.6.20-signed","libpng-1.6.21-signed","libpng-1.6.23-signed","libpng-1.6.24-signed","libpng-1.6.25-signed","libpng-1.6.26-signed","libpng-1.6.29-signed","libpng-1.6.3-signed","libpng-1.6.30-master-signed","libpng-1.6.30-signed","libpng-1.6.31-master-signed","libpng-1.6.31-signed","libpng-1.6.4-signed","libpng-1.6.7-signed","libpng-1.6.8-signed","libpng-1.6.9-signed","v1.6.0","v1.6.1","v1.6.10","v1.6.10beta01","v1.6.10beta02","v1.6.10rc01","v1.6.10rc02","v1.6.10rc03","v1.6.11","v1.6.11beta01","v1.6.11beta02","v1.6.11beta03","v1.6.11beta04","v1.6.11beta05","v1.6.11beta06","v1.6.11rc01","v1.6.11rc02","v1.6.12","v1.6.12rc01","v1.6.12rc02","v1.6.12rc03","v1.6.13","v1.6.13beta01","v1.6.13beta02","v1.6.13beta03","v1.6.13beta04","v1.6.13rc01","v1.6.14","v1.6.14beta01","v1.6.14beta02","v1.6.14beta03","v1.6.14beta04","v1.6.14beta05","v1.6.14beta06","v1.6.14beta07","v1.6.14rc01","v1.6.14rc02","v1.6.15","v1.6.15beta01","v1.6.15beta02","v1.6.15beta03","v1.6.15beta04","v1.6.15beta05","v1.6.15beta06","v1.6.15beta07","v1.6.15beta08","v1.6.15rc01","v1.6.15rc02","v1.6.15rc03","v1.6.16","v1.6.16beta01","v1.6.16beta02","v1.6.16beta03","v1.6.16rc01","v1.6.16rc02","v1.6.16rc03","v1.6.17","v1.6.17beta01","v1.6.17beta02","v1.6.17beta03","v1.6.17beta04","v1.6.17beta05","v1.6.17rc01","v1.6.17rc02","v1.6.17rc03","v1.6.17rc04","v1.6.17rc05","v1.6.17rc06","v1.6.18","v1.6.18beta01","v1.6.18beta02","v1.6.18beta03","v1.6.18beta04","v1.6.18beta05","v1.6.18beta06","v1.6.18beta07","v1.6.18beta08","v1.6.18beta09","v1.6.18rc01","v1.6.18rc02","v1.6.18rc03","v1.6.19","v1.6.19beta01","v1.6.19beta02","v1.6.19beta03","v1.6.19beta04","v1.6.19rc01","v1.6.19rc02","v1.6.19rc03","v1.6.19rc04","v1.6.1beta01","v1.6.1beta02","v1.6.1beta03","v1.6.1beta04","v1.6.1beta05","v1.6.1beta06","v1.6.1beta07","v1.6.1beta08","v1.6.1beta09","v1.6.1rc01","v1.6.2","v1.6.20beta01","v1.6.20beta02","v1.6.20beta03","v1.6.20rc01","v1.6.20rc02","v1.6.21","v1.6.21beta01","v1.6.21beta02","v1.6.21beta03","v1.6.21rc01","v1.6.21rc02","v1.6.22","v1.6.22beta01","v1.6.22beta02","v1.6.22beta05","v1.6.22beta06","v1.6.22rc01","v1.6.22rc02","v1.6.22rc03","v1.6.23","v1.6.23beta01","v1.6.23rc01","v1.6.23rc02","v1.6.24","v1.6.24beta02","v1.6.24beta03","v1.6.24beta04","v1.6.24beta05","v1.6.24beta06","v1.6.24rc01","v1.6.24rc02","v1.6.24rc03","v1.6.25","v1.6.25beta02","v1.6.25rc04","v1.6.26","v1.6.26beta01","v1.6.26beta02","v1.6.26beta03","v1.6.26beta04","v1.6.26beta05","v1.6.26beta06","v1.6.26rc01","v1.6.27beta01","v1.6.29","v1.6.29beta02","v1.6.29beta03","v1.6.29rc01","v1.6.2beta01","v1.6.2beta02","v1.6.2rc01","v1.6.2rc02","v1.6.2rc03","v1.6.2rc04","v1.6.2rc05","v1.6.2rc06","v1.6.3","v1.6.30","v1.6.30beta01","v1.6.30beta02","v1.6.30beta03","v1.6.30beta04","v1.6.30rc01","v1.6.31","v1.6.31beta01","v1.6.31beta02","v1.6.31beta03","v1.6.31beta04","v1.6.31beta05","v1.6.31beta06","v1.6.31beta07","v1.6.31rc01","v1.6.31rc02","v1.6.32","v1.6.32beta01","v1.6.32beta02","v1.6.32beta03","v1.6.32beta05","v1.6.32beta06","v1.6.32beta07","v1.6.32beta08","v1.6.32beta09","v1.6.32beta10","v1.6.32beta11","v1.6.32rc01","v1.6.32rc02","v1.6.33","v1.6.33beta01","v1.6.33beta02","v1.6.33beta03","v1.6.33rc01","v1.6.33rc02","v1.6.34","v1.6.35","v1.6.35beta01","v1.6.36","v1.6.37","v1.6.38","v1.6.39","v1.6.3beta01","v1.6.3beta02","v1.6.3beta03","v1.6.3beta04","v1.6.3beta05","v1.6.3beta06","v1.6.3beta07","v1.6.3beta08","v1.6.3beta09","v1.6.3beta10","v1.6.3rc01","v1.6.4","v1.6.40","v1.6.41","v1.6.42","v1.6.43","v1.6.44","v1.6.45","v1.6.46","v1.6.47","v1.6.48","v1.6.49","v1.6.4beta02","v1.6.4rc01","v1.6.5","v1.6.50","v1.6.6","v1.6.7","v1.6.7beta01","v1.6.7beta02","v1.6.7beta03","v1.6.7beta04","v1.6.7rc01","v1.6.7rc02","v1.6.8","v1.6.8beta01","v1.6.8beta02","v1.6.8rc02","v1.6.9","v1.6.9beta01","v1.6.9beta02","v1.6.9beta03","v1.6.9rc01","v1.6.9rc02"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","digest":{"line_hashes":["166375070723291529406421301066248769034","275647010778297936193963675511576832388","256826767335212246520616614652191899280","279336807821086835335477021495116274772","289998086382119027680343151146219735692","127562272222925286109814353033687270978","25813353444574047506367402039418644046","253582453789718568595455958296774742498"],"threshold":0.9},"deprecated":false,"target":{"file":"png.h"},"id":"CVE-2025-64720-1ff2fa39","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","digest":{"line_hashes":["156580915294223224015440899088615326697","218405736567565762721805663647781263162","85662020663482796805838288188511316315","230686006833406113235008350425423979914","260919417129355689179955630465652050316","95506800799202743812829450076592490423"],"threshold":0.9},"deprecated":false,"target":{"file":"png.c"},"id":"CVE-2025-64720-485b33da","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","digest":{"length":481,"function_hash":"308839484675692000161271595223156832928"},"deprecated":false,"target":{"file":"png.c","function":"png_get_copyright"},"id":"CVE-2025-64720-a8777218","signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","digest":{"line_hashes":["52540900908244694562855646578057113774","200219053898519147474761570586990540810","23871324486584156747326023564743243101","63048311541359152088830007041723625585"],"threshold":0.9},"deprecated":false,"target":{"file":"pngtest.c"},"id":"CVE-2025-64720-e1a15be6","signature_type":"Line","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T19:16:08Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64720.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/pnggroup/libpng","events":[{"introduced":"c53778ff53a73ad2d676602f5dc7019566be5058"},{"fixed":"49363adcfaf098748d7a4c8c624ad8c45a8c3a86"}]}],"versions":["libpng-1.6.10-signed","libpng-1.6.11-signed","libpng-1.6.12-signed","libpng-1.6.13-signed","libpng-1.6.14-signed","libpng-1.6.15-signed","libpng-1.6.16-signed","libpng-1.6.17-signed","libpng-1.6.18-signed","libpng-1.6.2-signed","libpng-1.6.20-signed","libpng-1.6.21-signed","libpng-1.6.23-signed","libpng-1.6.24-signed","libpng-1.6.25-signed","libpng-1.6.26-signed","libpng-1.6.29-signed","libpng-1.6.3-signed","libpng-1.6.30-master-signed","libpng-1.6.30-signed","libpng-1.6.31-master-signed","libpng-1.6.31-signed","libpng-1.6.4-signed","libpng-1.6.7-signed","libpng-1.6.8-signed","libpng-1.6.9-signed","v1.6.0","v1.6.1","v1.6.10","v1.6.10beta01","v1.6.10beta02","v1.6.10rc01","v1.6.10rc02","v1.6.10rc03","v1.6.11","v1.6.11beta01","v1.6.11beta02","v1.6.11beta03","v1.6.11beta04","v1.6.11beta05","v1.6.11beta06","v1.6.11rc01","v1.6.11rc02","v1.6.12","v1.6.12rc01","v1.6.12rc02","v1.6.12rc03","v1.6.13","v1.6.13beta01","v1.6.13beta02","v1.6.13beta03","v1.6.13beta04","v1.6.13rc01","v1.6.14","v1.6.14beta01","v1.6.14beta02","v1.6.14beta03","v1.6.14beta04","v1.6.14beta05","v1.6.14beta06","v1.6.14beta07","v1.6.14rc01","v1.6.14rc02","v1.6.15","v1.6.15beta01","v1.6.15beta02","v1.6.15beta03","v1.6.15beta04","v1.6.15beta05","v1.6.15beta06","v1.6.15beta07","v1.6.15beta08","v1.6.15rc01","v1.6.15rc02","v1.6.15rc03","v1.6.16","v1.6.16beta01","v1.6.16beta02","v1.6.16beta03","v1.6.16rc01","v1.6.16rc02","v1.6.16rc03","v1.6.17","v1.6.17beta01","v1.6.17beta02","v1.6.17beta03","v1.6.17beta04","v1.6.17beta05","v1.6.17rc01","v1.6.17rc02","v1.6.17rc03","v1.6.17rc04","v1.6.17rc05","v1.6.17rc06","v1.6.18","v1.6.18beta01","v1.6.18beta02","v1.6.18beta03","v1.6.18beta04","v1.6.18beta05","v1.6.18beta06","v1.6.18beta07","v1.6.18beta08","v1.6.18beta09","v1.6.18rc01","v1.6.18rc02","v1.6.18rc03","v1.6.19","v1.6.19beta01","v1.6.19beta02","v1.6.19beta03","v1.6.19beta04","v1.6.19rc01","v1.6.19rc02","v1.6.19rc03","v1.6.19rc04","v1.6.1beta01","v1.6.1beta02","v1.6.1beta03","v1.6.1beta04","v1.6.1beta05","v1.6.1beta06","v1.6.1beta07","v1.6.1beta08","v1.6.1beta09","v1.6.1rc01","v1.6.2","v1.6.20beta01","v1.6.20beta02","v1.6.20beta03","v1.6.20rc01","v1.6.20rc02","v1.6.21","v1.6.21beta01","v1.6.21beta02","v1.6.21beta03","v1.6.21rc01","v1.6.21rc02","v1.6.22","v1.6.22beta01","v1.6.22beta02","v1.6.22beta05","v1.6.22beta06","v1.6.22rc01","v1.6.22rc02","v1.6.22rc03","v1.6.23","v1.6.23beta01","v1.6.23rc01","v1.6.23rc02","v1.6.24","v1.6.24beta02","v1.6.24beta03","v1.6.24beta04","v1.6.24beta05","v1.6.24beta06","v1.6.24rc01","v1.6.24rc02","v1.6.24rc03","v1.6.25","v1.6.25beta02","v1.6.25rc04","v1.6.26","v1.6.26beta01","v1.6.26beta02","v1.6.26beta03","v1.6.26beta04","v1.6.26beta05","v1.6.26beta06","v1.6.26rc01","v1.6.27beta01","v1.6.29","v1.6.29beta02","v1.6.29beta03","v1.6.29rc01","v1.6.2beta01","v1.6.2beta02","v1.6.2rc01","v1.6.2rc02","v1.6.2rc03","v1.6.2rc04","v1.6.2rc05","v1.6.2rc06","v1.6.3","v1.6.30","v1.6.30beta01","v1.6.30beta02","v1.6.30beta03","v1.6.30beta04","v1.6.30rc01","v1.6.31","v1.6.31beta01","v1.6.31beta02","v1.6.31beta03","v1.6.31beta04","v1.6.31beta05","v1.6.31beta06","v1.6.31beta07","v1.6.31rc01","v1.6.31rc02","v1.6.32","v1.6.32beta01","v1.6.32beta02","v1.6.32beta03","v1.6.32beta05","v1.6.32beta06","v1.6.32beta07","v1.6.32beta08","v1.6.32beta09","v1.6.32beta10","v1.6.32beta11","v1.6.32rc01","v1.6.32rc02","v1.6.33","v1.6.33beta01","v1.6.33beta02","v1.6.33beta03","v1.6.33rc01","v1.6.33rc02","v1.6.34","v1.6.35","v1.6.35beta01","v1.6.36","v1.6.37","v1.6.38","v1.6.39","v1.6.3beta01","v1.6.3beta02","v1.6.3beta03","v1.6.3beta04","v1.6.3beta05","v1.6.3beta06","v1.6.3beta07","v1.6.3beta08","v1.6.3beta09","v1.6.3beta10","v1.6.3rc01","v1.6.4","v1.6.40","v1.6.41","v1.6.42","v1.6.43","v1.6.44","v1.6.45","v1.6.46","v1.6.47","v1.6.48","v1.6.49","v1.6.4beta02","v1.6.4rc01","v1.6.5","v1.6.50","v1.6.6","v1.6.7","v1.6.7beta01","v1.6.7beta02","v1.6.7beta03","v1.6.7beta04","v1.6.7rc01","v1.6.7rc02","v1.6.8","v1.6.8beta01","v1.6.8beta02","v1.6.8rc02","v1.6.9","v1.6.9beta01","v1.6.9beta02","v1.6.9beta03","v1.6.9rc01","v1.6.9rc02"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","digest":{"line_hashes":["166375070723291529406421301066248769034","275647010778297936193963675511576832388","256826767335212246520616614652191899280","279336807821086835335477021495116274772","289998086382119027680343151146219735692","127562272222925286109814353033687270978","25813353444574047506367402039418644046","253582453789718568595455958296774742498"],"threshold":0.9},"deprecated":false,"target":{"file":"png.h"},"id":"CVE-2025-64720-547918c0","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","digest":{"line_hashes":["52540900908244694562855646578057113774","200219053898519147474761570586990540810","23871324486584156747326023564743243101","63048311541359152088830007041723625585"],"threshold":0.9},"deprecated":false,"target":{"file":"pngtest.c"},"id":"CVE-2025-64720-6bf57c8e","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","digest":{"line_hashes":["156580915294223224015440899088615326697","218405736567565762721805663647781263162","85662020663482796805838288188511316315","230686006833406113235008350425423979914","260919417129355689179955630465652050316","95506800799202743812829450076592490423"],"threshold":0.9},"deprecated":false,"target":{"file":"png.c"},"id":"CVE-2025-64720-9afdfcea","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","digest":{"length":481,"function_hash":"308839484675692000161271595223156832928"},"deprecated":false,"target":{"file":"png.c","function":"png_get_copyright"},"id":"CVE-2025-64720-d048d988","signature_type":"Function","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T19:16:08Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64720.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"}]}