Two memory handling vulnerabilities in libpng (CVE-2025-64505, CVSS 6.1 MEDIUM, and CVE-2026-25646, CVSS 8.1 HIGH) can be exploited via malicious PNG files to cause denial of service, information disclosure, or arbitrary code execution. The vulnerabilities affect libpng versions prior to 1.6.51 and 1.6.55, respectively. Users must upgrade to libpng version 1.6.55, which includes fixes for both CVEs.
It was discovered that libpng did not properly handle memory when processing certain PNG files. An attacker could possibly use this issue to cause libpng to crash, resulting in a denial of service, or disclose sensitive information. (CVE-2025-64505) Joshua Inscoe discovered that libpng did not properly handle memory when processing certain PNG files. An attacker could possibly use this issue to cause libpng to crash, resulting in a denial of service, disclose sensitive information, or execute arbitrary code. (CVE-2026-25646)