CVE-2025-64505: LIBPNG is vulnerable to a heap buffer overflow in `png_do_quantize` via malformed palette index
Published Nov 22, 2025
·Updated
802.1X. An authentication issue was addressed with improved state management.
Other sources
Accounts. An authorization issue was addressed with improved state management.
— Apple
Admin Framework. A path handling issue was addressed with improved validation.
— Apple
apache. This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
— Apple
App Protection. The issue was addressed with improved checks.
— Apple
AppleKeyStore. A use after free issue was addressed with improved memory management.
— Apple
Credit
Tuan D. Hoang, Hazem Issa, Yongdae Kim @ KAIST SysSec Lab, Alvin Aries Tapia, an anonymous researcher, Cristian Dinca (icmd.tech), Hossein Lotfi@@hosselot(TrendAI Zero Day Initiative), Etienne Charron (Renault), Victoria Martini (Renault), Zhongcheng Li(IES Red Team), CVE-2025-14524, Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), XiguaSec, CVE-2025-64505, Gor Aleksanyan(BoB 0xB6), Dhiyanesh Selvaraj@@redroot97(BoB 0xB6), 이동하 (Lee Dong Ha(BoB 0xB6), Jian Lee@@speedyfriend433, DARKNAVY@@DarkNavyOrg, Johnny Franks@@zeroxjf, Ilya Andr (andrd3v)(Voynich Group), Ilias Morad (A2nkF)(Voynich Group), Duy Trần@@khanhduytran0, @@hugeBlack, Himanshu Bharti@@Xpl0itme(Khatima), wdszzml, Atuin Automated Vulnerability Discovery Engine, Guy Dor, Gongyu Ma@@Mezone0, Alex Radocea, Yongdae Kim @ SysSec, KAIST, Caspian Tarafdar, Andrew Becker, webb, Thomas Espach, @@hamayanhamayan, Yeonghyeon Choi, Daniel Rhea, Söhnke Benedikt Fischedick (Tripton), Emrovsky & Switch3301, Yevhen Pervushyn, Minse Kim, Narcis Oliveras Fontàs, Nathaniel Oh@@calysteon, Hongze Wu(Ant Group Infrastructure Security Team), Shuaike Dong(Ant Group Infrastructure Security Team), greenbynox, Arni Hardarson, Héloïse Gollier, Mathy Vanhoef (KU Leuven), Rosyna Keller(Totally Not Malicious Software), Adrián Pérez Martínez, Uluk Abylbekov, Zack Tickman, Justin Cohen(Google), Jex Amro, Johnny Franks (zeroxjf), Kirin@@Pwnrin, iG0x72(XiguaSec), JJ(XiguaSec), Lehan Dilusha Jayasinghe, Mike Cardwell(grepular), Bob Lord, CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200, Mickey Jin@@patch1t, Amy (amys.website), @@cloudlldb, YingQi Shi@@Mas0nShi(DBAppSecurity's WeBin lab), 风沐云烟@@binary_fmyy, Minghao Lin@@Y1nKoc, hari shanmugam, Sreejith Krishnan R, Chunyu Song(NorthSea), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Matej Moravec@@MacejkoMoravec, Csaba Fitzl@@theevilbit(Iru), Dawuge(Shuffle Team), Hunan University, Kun Peeks@@SwayZGl1tZyyy, Gyujeong Jin at Team.0xb6@@G1uN4sh, Christian Kohlschütter, Dave G., @@pixiepointsec, Ryan Dowd@@_rdowd, Koh M. Nakagawa@@tsunek0h(FFRI Security Inc), Talal Haj Bakry(Mysk Inc), Tommy Mysk@@mysk_co(Mysk Inc), Zhongquan Li@@Guluisacat, Asaf Cohen, Ye Zhang(Baidu Security), Ryan Dowd@@_rdowd(Iru), Joseph Ravichandran@@0xjprx(MIT CSAIL), Yuebin Sun@@yuebinsun2020(SecuRing), an anonymous researcher(SecuRing), Nathaniel Oh@@calysteon(SecuRing), Kirin@@Pwnrin(SecuRing), Wojciech Regula(SecuRing), Joshua Jewett@@JoshJewett33, Gergely Kalman@@gergely_kalman, Andrei Dodu, Morris Richman@@morrisinlife, Luke Roberts@@rookuu, Pedro Tôrres@@t0rr3sp3dr0
Affected Software
14 affected componentsFixes available
libpng LIBPNG<1.6.51
libpng LIBPNG<1.6.51
Microsoft cbl2 libpng 1.6.39-1
Microsoft azl3 libpng 1.6.40-1
Apple tvOS<26.4
26.4
Apple iOS<18.7.7
18.7.7
Apple iPadOS<18.7.7
18.7.7
Apple iOS<26.4
26.4
Apple iPadOS<26.4
26.4
Apple macOS Tahoe<26.4
26.4
Apple WatchOS<26.4
26.4
Apple macOS Sequoia<15.7.5
15.7.5
Apple visionOS<26.4
26.4
Apple macOS Sonoma<14.8.5
14.8.5
Remediation
Event History
Nov 24, 2025
CVE Published
via MITRE·11:38 PM
Data Sourced
via MITRE·11:38 PM
DescriptionSeverityWeakness
Nov 25, 2025
Data Sourced
via NVD·12:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Nov 26, 2025
Data Sourced
via Microsoft·01:01 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·01:01 AM
SeverityAffected Software
Updated
via Microsoft·01:01 AM
DescriptionSeverity
Mar 24, 2026
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Description
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
May 12, 2026
Updated
via Apple·06:36 PM
DescriptionWeaknessAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-28865
- CVE-2026-28877
- CVE-2026-28895
- CVE-2026-28879
- CVE-2026-28822
- CVE-2026-28874
- CVE-2026-28875
- CVE-2026-28872
- CVE-2026-28894
- CVE-2026-28866
- CVE-2026-20690
- CVE-2026-28886
- CVE-2026-28878
- CVE-2025-14524
- CVE-2026-28876
- CVE-2026-28870
- CVE-2026-28880
- CVE-2026-28833
- CVE-2025-64505
- CVE-2026-28868
- CVE-2026-28867
- CVE-2026-20698
- CVE-2026-20687
- CVE-2026-28882
- CVE-2026-20692
- CVE-2026-20688
- CVE-2026-28873
- CVE-2026-28863
- CVE-2026-28864
- CVE-2026-28860
- CVE-2026-28856
- CVE-2026-28858
- CVE-2026-28967
- CVE-2026-28852
- CVE-2026-20657
- CVE-2026-20665
- CVE-2026-20643
- CVE-2026-28871
- CVE-2026-20664
- CVE-2026-28857
- CVE-2026-28861
- CVE-2026-28859
- CVE-2026-20691
- CVE-2026-20637
- CVE-2026-20668
- CVE-2025-43534
- CVE-2025-43376
- CVE-2025-55753
- CVE-2025-58098
- CVE-2025-59775
- CVE-2025-65082
- CVE-2025-66200
- CVE-2026-28824
- CVE-2026-20699
- CVE-2026-20660
- CVE-2026-20639
- CVE-2026-28821
- CVE-2026-28838
- CVE-2026-28888
- CVE-2026-20633
- CVE-2026-28892
- CVE-2026-28832
- CVE-2026-28834
- CVE-2026-20695
- CVE-2026-28829
- CVE-2026-20607
- CVE-2026-20651
- CVE-2026-20694
- CVE-2026-28891
- CVE-2026-20701
- CVE-2026-28839
- CVE-2026-28827
- CVE-2026-28816
- CVE-2026-28826
- CVE-2026-20693
- CVE-2026-28862
- CVE-2026-28831
- CVE-2026-28817
- CVE-2026-28835
- CVE-2026-28825
- CVE-2026-28818
- CVE-2026-20697
- CVE-2026-28828
- CVE-2026-28823
- CVE-2026-20696
- CVE-2026-20684
- CVE-2026-28910
- CVE-2026-28893
- CVE-2026-28881
- CVE-2026-28842
- CVE-2026-28841
- CVE-2026-28845
- CVE-2026-20632
- CVE-2026-20631
- CVE-2026-28840
- CVE-2026-28830
- CVE-2026-28820
- CVE-2026-28837
- CVE-2026-28844
Frequently Asked Questions
1
What is the severity of CVE-2025-64505?
CVE-2025-64505 has been rated as a high severity vulnerability due to the potential for heap buffer over-read that could lead to information disclosure.
2
How do I fix CVE-2025-64505?
To mitigate CVE-2025-64505, upgrade libpng to version 1.6.51 or later.
3
What type of vulnerability is CVE-2025-64505?
CVE-2025-64505 is identified as a heap buffer over-read vulnerability.
4
Which versions of libpng are affected by CVE-2025-64505?
CVE-2025-64505 affects all versions of libpng prior to 1.6.51.
5
What might be the impact of exploiting CVE-2025-64505?
Exploiting CVE-2025-64505 could potentially lead to information leakage through the heap buffer over-read.