CVE-2025-64506 identifies a heap buffer over-read vulnerability in the widely used libpng library, specifically in versions from 1.6.0 up to but not including 1.6.51. Libpng is a core library for reading, writing, and manipulating PNG image files across many applications and platforms. The vulnerability resides in the png_write_image_8bit function when handling 8-bit images via the simplified write API with the convert_to_8bit option enabled. The root cause is a conditional guard that incorrectly permits 8-bit input data to be processed by code paths designed for 16-bit input, resulting in reads up to two bytes beyond the allocated buffer. This affects 8-bit grayscale+alpha, RGB/RGBA images, and images with incomplete row data. The out-of-bounds read can lead to application crashes or denial of service due to heap corruption or invalid memory access. Exploitation requires an attacker to supply a specially crafted PNG image to an application using the vulnerable libpng version. No known exploits are reported in the wild as of now. The vulnerability does not allow privilege escalation or direct code execution but can impact availability. The issue was patched in libpng version 1.6.51 by correcting the conditional logic to prevent improper buffer reads.

For European organizations, the primary impact of CVE-2025-64506 is potential denial of service or application instability in software that uses vulnerable libpng versions for image processing or rendering. This could affect media companies, software developers, embedded device manufacturers, and any enterprise relying on image handling libraries in their products or services. Disruptions could occur in web servers, content management systems, or desktop applications that process user-supplied PNG images, especially if these images are maliciously crafted. While the vulnerability does not directly compromise confidentiality or integrity, service availability may be degraded, leading to operational interruptions and potential reputational damage. Organizations processing large volumes of PNG images or integrating libpng in critical systems should be vigilant. The lack of known exploits reduces immediate risk, but the medium CVSS score indicates that patching is important to prevent future exploitation attempts.

European organizations should promptly upgrade all libpng instances to version 1.6.51 or later to remediate this vulnerability. For environments where immediate patching is not feasible, implement strict input validation and sanitization of PNG files before processing, including rejecting malformed or suspicious images. Employ application-level sandboxing or process isolation to limit the impact of potential crashes caused by malformed images. Monitor logs and application behavior for signs of crashes or abnormal memory access related to image processing. Security teams should update threat detection rules to flag anomalous PNG file handling. Developers should review usage of the simplified write API with convert_to_8bit enabled and consider disabling this option if not necessary. Finally, maintain an inventory of software components using libpng to ensure comprehensive coverage of the patch deployment.