CVE-2025-64720 identifies an out-of-bounds read vulnerability in libpng, a widely used library for handling PNG image files. The vulnerability exists in versions from 1.6.0 up to but not including 1.6.51, specifically within the png_image_read_composite function when processing palette images with the PNG_FLAG_OPTIMIZE_ALPHA flag enabled. The root cause is an incorrect application of background compositing during premultiplication in the palette compositing code (png_init_read_transformations), which violates the invariant that each color component must be less than or equal to alpha multiplied by 257. This violation leads to reading memory outside the intended buffer bounds, classified as CWE-125 (Out-of-bounds Read). The consequence of this flaw is primarily a potential denial of service through application crashes or unexpected behavior when processing maliciously crafted PNG images. The vulnerability does not require privileges but does require user interaction, such as opening or processing a specially crafted PNG file. The CVSS v3.1 base score is 7.1, reflecting high severity due to network attack vector, low attack complexity, no privileges required, but requiring user interaction, with limited confidentiality impact and high availability impact. The issue has been addressed and patched in libpng version 1.6.51. There are no known exploits in the wild at this time, but the widespread use of libpng in many applications and systems makes this a significant concern.

For European organizations, the impact of CVE-2025-64720 can be significant, especially for those relying on software that uses vulnerable libpng versions for image processing, such as web browsers, graphic design tools, content management systems, and document viewers. An attacker could craft malicious PNG images that, when processed, trigger out-of-bounds reads causing application crashes or denial of service, disrupting business operations or user services. Although the confidentiality impact is low, the availability impact is high, potentially leading to service interruptions or degraded user experience. Sectors such as media, publishing, government, and financial services that handle large volumes of image data or rely on image processing workflows are particularly at risk. Additionally, embedded systems or IoT devices in Europe using vulnerable libpng versions could be destabilized, affecting critical infrastructure or industrial control systems. The lack of known exploits currently reduces immediate risk but does not eliminate the potential for future attacks, especially as threat actors develop exploit code.

European organizations should immediately audit their software inventory to identify applications and systems using libpng versions between 1.6.0 and 1.6.50. Prioritize upgrading to libpng version 1.6.51 or later where feasible. For third-party software that bundles libpng, coordinate with vendors to obtain patched versions or apply vendor-provided updates. Implement network-level protections such as filtering or sandboxing to isolate image processing components, reducing the impact of potential crashes. Employ runtime application self-protection (RASP) or memory protection technologies like ASLR and DEP to mitigate exploitation attempts. Educate users to avoid opening untrusted or unsolicited PNG files, especially from unknown sources. Monitor logs and application behavior for crashes or anomalies related to image processing. In environments where immediate patching is not possible, consider disabling PNG_FLAG_OPTIMIZE_ALPHA usage if configurable, or restricting image formats accepted by critical applications. Maintain up-to-date threat intelligence feeds to detect emerging exploit attempts targeting this vulnerability.