CVE-2025-28164

EUVD-2025-206406
Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
libpnglibpng
1.6.43 ≤
𝑥
≤ 1.6.46
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libpng1.6
bookworm
unimportant
bookworm (security)
unimportant
bullseye
unimportant
bullseye (security)
unimportant
forky
1.6.55-1
fixed
sid
1.6.55-1
fixed
trixie
1.6.48-1+deb13u1
fixed
trixie (security)
1.6.48-1+deb13u3
fixed
Common Weakness Enumeration
References
https://gist.github.com/kittener/506516f8c22178005b4379c8b2a7de20
https://github.com/pnggroup/libpng/issues/655