CVE-2025-64720 is an out-of-bounds read vulnerability classified under CWE-125 found in libpng, a widely used library for handling PNG images. The flaw exists specifically in the png_image_read_composite function when processing palette-based PNG images with the PNG_FLAG_OPTIMIZE_ALPHA flag enabled. The root cause is an incorrect application of background compositing during the premultiplication step in the png_init_read_transformations function. This miscalculation violates the invariant that each color component must be less than or equal to alpha multiplied by 257, as required by the simplified PNG API. As a result, the function may read memory beyond the intended buffer boundaries, potentially leading to application crashes or denial of service conditions. The vulnerability affects all libpng versions from 1.6.0 up to but not including 1.6.51, where the issue has been fixed. Exploitation requires no privileges but does require user interaction, such as opening or processing a maliciously crafted PNG file. The CVSS v3.1 score is 7.1, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, but user interaction needed, with impact mainly on availability and limited confidentiality impact. No known exploits have been reported in the wild yet, but the widespread use of libpng in numerous applications and platforms makes this a significant concern.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on software that processes PNG images using vulnerable libpng versions. Potential impacts include application crashes leading to denial of service, which can disrupt web services, media processing pipelines, or any system handling user-uploaded images. Although the confidentiality impact is limited, availability disruptions can affect customer-facing services and internal workflows. Industries such as media, publishing, software development, and web hosting are particularly at risk. Additionally, embedded systems or IoT devices using libpng could be destabilized. The requirement for user interaction means phishing or social engineering could be vectors to deliver malicious PNG files. Given the high severity and ease of exploitation, failure to patch could lead to operational disruptions and reputational damage. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

European organizations should immediately upgrade libpng to version 1.6.51 or later to eliminate the vulnerability. For software vendors and developers, rebuilding applications with the patched library version is critical. Implement strict validation and sanitization of PNG images, especially those uploaded by users or received from untrusted sources, to detect malformed or suspicious files. Employ runtime protections such as memory safety tools (e.g., AddressSanitizer) during development and testing to catch similar issues early. Network defenses like web application firewalls (WAFs) can be tuned to detect and block suspicious PNG payloads. Educate users and administrators about the risks of opening untrusted image files to reduce the likelihood of exploitation via social engineering. For embedded or IoT devices, coordinate with vendors to ensure timely firmware updates. Continuous monitoring for abnormal application crashes or service disruptions related to image processing can help detect exploitation attempts. Finally, maintain an inventory of software components to identify all instances of vulnerable libpng usage across the organization.