{"id":"CVE-2025-65018","summary":"LIBPNG is vulnerable to a heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`","details":"LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.","aliases":["GHSA-7wv6-48j4-hj3g"],"modified":"2026-04-16T04:30:48.757669310Z","published":"2025-11-24T23:50:18.294Z","related":["ALSA-2026:0125","ALSA-2026:0237","ALSA-2026:0238","ALSA-2026:0241","ALSA-2026:0927","ALSA-2026:0928","ALSA-2026:0932","ALSA-2026:0933","SUSE-SU-2025:21217-1","SUSE-SU-2025:21220-1","SUSE-SU-2025:4436-1","SUSE-SU-2025:4494-1","SUSE-SU-2025:4533-1","SUSE-SU-2026:20030-1","SUSE-SU-2026:20073-1","openSUSE-SU-2025:15781-1","openSUSE-SU-2026:20017-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65018.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-122","CWE-787"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65018.json"},{"type":"ADVISORY","url":"https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65018"},{"type":"REPORT","url":"https://github.com/pnggroup/libpng/issues/755"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/pull/757"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/glennrp/libpng","events":[{"introduced":"c53778ff53a73ad2d676602f5dc7019566be5058"},{"fixed":"49363adcfaf098748d7a4c8c624ad8c45a8c3a86"}],"database_specific":{"versions":[{"introduced":"1.6.0"},{"fixed":"1.6.51"}]}}],"versions":["libpng-1.6.10-signed","libpng-1.6.11-signed","libpng-1.6.12-signed","libpng-1.6.13-signed","libpng-1.6.14-signed","libpng-1.6.15-signed","libpng-1.6.16-signed","libpng-1.6.17-signed","libpng-1.6.18-signed","libpng-1.6.2-signed","libpng-1.6.20-signed","libpng-1.6.21-signed","libpng-1.6.23-signed","libpng-1.6.24-signed","libpng-1.6.25-signed","libpng-1.6.26-signed","libpng-1.6.29-signed","libpng-1.6.3-signed","libpng-1.6.30-master-signed","libpng-1.6.30-signed","libpng-1.6.31-master-signed","libpng-1.6.31-signed","libpng-1.6.4-signed","libpng-1.6.7-signed","libpng-1.6.8-signed","libpng-1.6.9-signed","v1.6.0","v1.6.1","v1.6.10","v1.6.10beta01","v1.6.10beta02","v1.6.10rc01","v1.6.10rc02","v1.6.10rc03","v1.6.11","v1.6.11beta01","v1.6.11beta02","v1.6.11beta03","v1.6.11beta04","v1.6.11beta05","v1.6.11beta06","v1.6.11rc01","v1.6.11rc02","v1.6.12","v1.6.12rc01","v1.6.12rc02","v1.6.12rc03","v1.6.13","v1.6.13beta01","v1.6.13beta02","v1.6.13beta03","v1.6.13beta04","v1.6.13rc01","v1.6.14","v1.6.14beta01","v1.6.14beta02","v1.6.14beta03","v1.6.14beta04","v1.6.14beta05","v1.6.14beta06","v1.6.14beta07","v1.6.14rc01","v1.6.14rc02","v1.6.15","v1.6.15beta01","v1.6.15beta02","v1.6.15beta03","v1.6.15beta04","v1.6.15beta05","v1.6.15beta06","v1.6.15beta07","v1.6.15beta08","v1.6.15rc01","v1.6.15rc02","v1.6.15rc03","v1.6.16","v1.6.16beta01","v1.6.16beta02","v1.6.16beta03","v1.6.16rc01","v1.6.16rc02","v1.6.16rc03","v1.6.17","v1.6.17beta01","v1.6.17beta02","v1.6.17beta03","v1.6.17beta04","v1.6.17beta05","v1.6.17rc01","v1.6.17rc02","v1.6.17rc03","v1.6.17rc04","v1.6.17rc05","v1.6.17rc06","v1.6.18","v1.6.18beta01","v1.6.18beta02","v1.6.18beta03","v1.6.18beta04","v1.6.18beta05","v1.6.18beta06","v1.6.18beta07","v1.6.18beta08","v1.6.18beta09","v1.6.18rc01","v1.6.18rc02","v1.6.18rc03","v1.6.19","v1.6.19beta01","v1.6.19beta02","v1.6.19beta03","v1.6.19beta04","v1.6.19rc01","v1.6.19rc02","v1.6.19rc03","v1.6.19rc04","v1.6.1beta01","v1.6.1beta02","v1.6.1beta03","v1.6.1beta04","v1.6.1beta05","v1.6.1beta06","v1.6.1beta07","v1.6.1beta08","v1.6.1beta09","v1.6.1rc01","v1.6.2","v1.6.20beta01","v1.6.20beta02","v1.6.20beta03","v1.6.20rc01","v1.6.20rc02","v1.6.21","v1.6.21beta01","v1.6.21beta02","v1.6.21beta03","v1.6.21rc01","v1.6.21rc02","v1.6.22","v1.6.22beta01","v1.6.22beta02","v1.6.22beta05","v1.6.22beta06","v1.6.22rc01","v1.6.22rc02","v1.6.22rc03","v1.6.23","v1.6.23beta01","v1.6.23rc01","v1.6.23rc02","v1.6.24","v1.6.24beta02","v1.6.24beta03","v1.6.24beta04","v1.6.24beta05","v1.6.24beta06","v1.6.24rc01","v1.6.24rc02","v1.6.24rc03","v1.6.25","v1.6.25beta02","v1.6.25rc04","v1.6.26","v1.6.26beta01","v1.6.26beta02","v1.6.26beta03","v1.6.26beta04","v1.6.26beta05","v1.6.26beta06","v1.6.26rc01","v1.6.27beta01","v1.6.29","v1.6.29beta02","v1.6.29beta03","v1.6.29rc01","v1.6.2beta01","v1.6.2beta02","v1.6.2rc01","v1.6.2rc02","v1.6.2rc03","v1.6.2rc04","v1.6.2rc05","v1.6.2rc06","v1.6.3","v1.6.30","v1.6.30beta01","v1.6.30beta02","v1.6.30beta03","v1.6.30beta04","v1.6.30rc01","v1.6.31","v1.6.31beta01","v1.6.31beta02","v1.6.31beta03","v1.6.31beta04","v1.6.31beta05","v1.6.31beta06","v1.6.31beta07","v1.6.31rc01","v1.6.31rc02","v1.6.32","v1.6.32beta01","v1.6.32beta02","v1.6.32beta03","v1.6.32beta05","v1.6.32beta06","v1.6.32beta07","v1.6.32beta08","v1.6.32beta09","v1.6.32beta10","v1.6.32beta11","v1.6.32rc01","v1.6.32rc02","v1.6.33","v1.6.33beta01","v1.6.33beta02","v1.6.33beta03","v1.6.33rc01","v1.6.33rc02","v1.6.34","v1.6.35","v1.6.35beta01","v1.6.36","v1.6.37","v1.6.38","v1.6.39","v1.6.3beta01","v1.6.3beta02","v1.6.3beta03","v1.6.3beta04","v1.6.3beta05","v1.6.3beta06","v1.6.3beta07","v1.6.3beta08","v1.6.3beta09","v1.6.3beta10","v1.6.3rc01","v1.6.4","v1.6.40","v1.6.41","v1.6.42","v1.6.43","v1.6.44","v1.6.45","v1.6.46","v1.6.47","v1.6.48","v1.6.49","v1.6.4beta02","v1.6.4rc01","v1.6.5","v1.6.50","v1.6.6","v1.6.7","v1.6.7beta01","v1.6.7beta02","v1.6.7beta03","v1.6.7beta04","v1.6.7rc01","v1.6.7rc02","v1.6.8","v1.6.8beta01","v1.6.8beta02","v1.6.8rc02","v1.6.9","v1.6.9beta01","v1.6.9beta02","v1.6.9beta03","v1.6.9rc01","v1.6.9rc02"],"database_specific":{"vanir_signatures":[{"digest":{"line_hashes":["166375070723291529406421301066248769034","275647010778297936193963675511576832388","256826767335212246520616614652191899280","279336807821086835335477021495116274772","289998086382119027680343151146219735692","127562272222925286109814353033687270978","25813353444574047506367402039418644046","253582453789718568595455958296774742498"],"threshold":0.9},"signature_type":"Line","source":"https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","deprecated":false,"signature_version":"v1","target":{"file":"png.h"},"id":"CVE-2025-65018-1ff2fa39"},{"digest":{"line_hashes":["156580915294223224015440899088615326697","218405736567565762721805663647781263162","85662020663482796805838288188511316315","230686006833406113235008350425423979914","260919417129355689179955630465652050316","95506800799202743812829450076592490423"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","deprecated":false,"signature_type":"Line","target":{"file":"png.c"},"id":"CVE-2025-65018-485b33da"},{"id":"CVE-2025-65018-a8777218","signature_version":"v1","source":"https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","deprecated":false,"signature_type":"Function","target":{"function":"png_get_copyright","file":"png.c"},"digest":{"length":481,"function_hash":"308839484675692000161271595223156832928"}},{"digest":{"line_hashes":["52540900908244694562855646578057113774","200219053898519147474761570586990540810","23871324486584156747326023564743243101","63048311541359152088830007041723625585"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/glennrp/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","deprecated":false,"signature_type":"Line","target":{"file":"pngtest.c"},"id":"CVE-2025-65018-e1a15be6"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65018.json","vanir_signatures_modified":"2026-04-12T19:16:08Z"}},{"ranges":[{"type":"GIT","repo":"https://github.com/pnggroup/libpng","events":[{"introduced":"c53778ff53a73ad2d676602f5dc7019566be5058"},{"fixed":"49363adcfaf098748d7a4c8c624ad8c45a8c3a86"}]}],"versions":["libpng-1.6.10-signed","libpng-1.6.11-signed","libpng-1.6.12-signed","libpng-1.6.13-signed","libpng-1.6.14-signed","libpng-1.6.15-signed","libpng-1.6.16-signed","libpng-1.6.17-signed","libpng-1.6.18-signed","libpng-1.6.2-signed","libpng-1.6.20-signed","libpng-1.6.21-signed","libpng-1.6.23-signed","libpng-1.6.24-signed","libpng-1.6.25-signed","libpng-1.6.26-signed","libpng-1.6.29-signed","libpng-1.6.3-signed","libpng-1.6.30-master-signed","libpng-1.6.30-signed","libpng-1.6.31-master-signed","libpng-1.6.31-signed","libpng-1.6.4-signed","libpng-1.6.7-signed","libpng-1.6.8-signed","libpng-1.6.9-signed","v1.6.0","v1.6.1","v1.6.10","v1.6.10beta01","v1.6.10beta02","v1.6.10rc01","v1.6.10rc02","v1.6.10rc03","v1.6.11","v1.6.11beta01","v1.6.11beta02","v1.6.11beta03","v1.6.11beta04","v1.6.11beta05","v1.6.11beta06","v1.6.11rc01","v1.6.11rc02","v1.6.12","v1.6.12rc01","v1.6.12rc02","v1.6.12rc03","v1.6.13","v1.6.13beta01","v1.6.13beta02","v1.6.13beta03","v1.6.13beta04","v1.6.13rc01","v1.6.14","v1.6.14beta01","v1.6.14beta02","v1.6.14beta03","v1.6.14beta04","v1.6.14beta05","v1.6.14beta06","v1.6.14beta07","v1.6.14rc01","v1.6.14rc02","v1.6.15","v1.6.15beta01","v1.6.15beta02","v1.6.15beta03","v1.6.15beta04","v1.6.15beta05","v1.6.15beta06","v1.6.15beta07","v1.6.15beta08","v1.6.15rc01","v1.6.15rc02","v1.6.15rc03","v1.6.16","v1.6.16beta01","v1.6.16beta02","v1.6.16beta03","v1.6.16rc01","v1.6.16rc02","v1.6.16rc03","v1.6.17","v1.6.17beta01","v1.6.17beta02","v1.6.17beta03","v1.6.17beta04","v1.6.17beta05","v1.6.17rc01","v1.6.17rc02","v1.6.17rc03","v1.6.17rc04","v1.6.17rc05","v1.6.17rc06","v1.6.18","v1.6.18beta01","v1.6.18beta02","v1.6.18beta03","v1.6.18beta04","v1.6.18beta05","v1.6.18beta06","v1.6.18beta07","v1.6.18beta08","v1.6.18beta09","v1.6.18rc01","v1.6.18rc02","v1.6.18rc03","v1.6.19","v1.6.19beta01","v1.6.19beta02","v1.6.19beta03","v1.6.19beta04","v1.6.19rc01","v1.6.19rc02","v1.6.19rc03","v1.6.19rc04","v1.6.1beta01","v1.6.1beta02","v1.6.1beta03","v1.6.1beta04","v1.6.1beta05","v1.6.1beta06","v1.6.1beta07","v1.6.1beta08","v1.6.1beta09","v1.6.1rc01","v1.6.2","v1.6.20beta01","v1.6.20beta02","v1.6.20beta03","v1.6.20rc01","v1.6.20rc02","v1.6.21","v1.6.21beta01","v1.6.21beta02","v1.6.21beta03","v1.6.21rc01","v1.6.21rc02","v1.6.22","v1.6.22beta01","v1.6.22beta02","v1.6.22beta05","v1.6.22beta06","v1.6.22rc01","v1.6.22rc02","v1.6.22rc03","v1.6.23","v1.6.23beta01","v1.6.23rc01","v1.6.23rc02","v1.6.24","v1.6.24beta02","v1.6.24beta03","v1.6.24beta04","v1.6.24beta05","v1.6.24beta06","v1.6.24rc01","v1.6.24rc02","v1.6.24rc03","v1.6.25","v1.6.25beta02","v1.6.25rc04","v1.6.26","v1.6.26beta01","v1.6.26beta02","v1.6.26beta03","v1.6.26beta04","v1.6.26beta05","v1.6.26beta06","v1.6.26rc01","v1.6.27beta01","v1.6.29","v1.6.29beta02","v1.6.29beta03","v1.6.29rc01","v1.6.2beta01","v1.6.2beta02","v1.6.2rc01","v1.6.2rc02","v1.6.2rc03","v1.6.2rc04","v1.6.2rc05","v1.6.2rc06","v1.6.3","v1.6.30","v1.6.30beta01","v1.6.30beta02","v1.6.30beta03","v1.6.30beta04","v1.6.30rc01","v1.6.31","v1.6.31beta01","v1.6.31beta02","v1.6.31beta03","v1.6.31beta04","v1.6.31beta05","v1.6.31beta06","v1.6.31beta07","v1.6.31rc01","v1.6.31rc02","v1.6.32","v1.6.32beta01","v1.6.32beta02","v1.6.32beta03","v1.6.32beta05","v1.6.32beta06","v1.6.32beta07","v1.6.32beta08","v1.6.32beta09","v1.6.32beta10","v1.6.32beta11","v1.6.32rc01","v1.6.32rc02","v1.6.33","v1.6.33beta01","v1.6.33beta02","v1.6.33beta03","v1.6.33rc01","v1.6.33rc02","v1.6.34","v1.6.35","v1.6.35beta01","v1.6.36","v1.6.37","v1.6.38","v1.6.39","v1.6.3beta01","v1.6.3beta02","v1.6.3beta03","v1.6.3beta04","v1.6.3beta05","v1.6.3beta06","v1.6.3beta07","v1.6.3beta08","v1.6.3beta09","v1.6.3beta10","v1.6.3rc01","v1.6.4","v1.6.40","v1.6.41","v1.6.42","v1.6.43","v1.6.44","v1.6.45","v1.6.46","v1.6.47","v1.6.48","v1.6.49","v1.6.4beta02","v1.6.4rc01","v1.6.5","v1.6.50","v1.6.6","v1.6.7","v1.6.7beta01","v1.6.7beta02","v1.6.7beta03","v1.6.7beta04","v1.6.7rc01","v1.6.7rc02","v1.6.8","v1.6.8beta01","v1.6.8beta02","v1.6.8rc02","v1.6.9","v1.6.9beta01","v1.6.9beta02","v1.6.9beta03","v1.6.9rc01","v1.6.9rc02"],"database_specific":{"vanir_signatures":[{"digest":{"line_hashes":["166375070723291529406421301066248769034","275647010778297936193963675511576832388","256826767335212246520616614652191899280","279336807821086835335477021495116274772","289998086382119027680343151146219735692","127562272222925286109814353033687270978","25813353444574047506367402039418644046","253582453789718568595455958296774742498"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","deprecated":false,"signature_type":"Line","target":{"file":"png.h"},"id":"CVE-2025-65018-547918c0"},{"digest":{"line_hashes":["52540900908244694562855646578057113774","200219053898519147474761570586990540810","23871324486584156747326023564743243101","63048311541359152088830007041723625585"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","deprecated":false,"signature_type":"Line","target":{"file":"pngtest.c"},"id":"CVE-2025-65018-6bf57c8e"},{"id":"CVE-2025-65018-9afdfcea","signature_version":"v1","source":"https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","deprecated":false,"signature_type":"Line","target":{"file":"png.c"},"digest":{"line_hashes":["156580915294223224015440899088615326697","218405736567565762721805663647781263162","85662020663482796805838288188511316315","230686006833406113235008350425423979914","260919417129355689179955630465652050316","95506800799202743812829450076592490423"],"threshold":0.9}},{"digest":{"length":481,"function_hash":"308839484675692000161271595223156832928"},"signature_version":"v1","source":"https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86","deprecated":false,"signature_type":"Function","target":{"function":"png_get_copyright","file":"png.c"},"id":"CVE-2025-65018-d048d988"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65018.json","vanir_signatures_modified":"2026-04-12T19:16:08Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"}]}