CVE-2025-28162

EUVD-2025-206405
Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
libpnglibpng
1.6.43 ≤
𝑥
≤ 1.6.46
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libpng1.6
bookworm
no-dsa
bookworm (security)
unimportant
bullseye
postponed
bullseye (security)
unimportant
forky
1.6.55-1
fixed
sid
1.6.55-1
fixed
trixie
1.6.48-1+deb13u1
fixed
trixie (security)
1.6.48-1+deb13u3
fixed
Common Weakness Enumeration
References
https://gist.github.com/kittener/fbfdb9b5610c6b3db0d5dea045a07c60
https://github.com/pnggroup/libpng/issues/656