Out-of-bounds read in Summary An out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the array when processing palette PNG images with partial transparency and gamma correction. Trigger Conditions All of the following conditions must be met: 1. Palette image (IHDR color type 3) 2. Partial transparency via tRNS chunk with alpha values between 1 and 254 3. Gamma correction via gAMA chunk with non-1.0 gamma value 4. Simplified API used ( and ) 5. Output format without alpha (e.g., PNG_FORMAT_RGB) 6. No explicit background color ( in ) Root Cause The function assumes pixel data has been premultiplied by , producing linear values where always holds. This invariant is violated for palette images with gamma correction due to a flag synchronization bug. Impact Information disclosure: Reading adjacent global data ( and potentially other globals). Denial of service: Read extending up to 1012 bytes past array may access unmapped memory and crash. No attacker control required: Legitimate, non-malicious PNG files trigger this bug. Fix The fix consists of two commits: Commit 1: Defensive Bounds Check Commit 2: Flag Synchronization Fix Mitigation Upgrade to libpng 1.6.52 or later. If immediate upgrade is not possible: - Provide an explicit background color to . - Use the low-level API instead of simplified API. - Request alpha-preserving output (e.g., PNG_FORMAT_RGBA) to avoid composition path. ``` Key Points Affected versions: >= 1.6.0, < 1.6.52 Patched versions: 1.6.52 CVE ID: CVE-2025-66293 Severity: 7.1/10 CVSS v3 base metrics: - Attack vector: Network - Attack complexity: Low - Privileges required: None - User interaction: Required - Scope: Unchanged - Confidentiality: Low - Integrity: None - Availability: High Weaknesses: CWE-125 Credits: Reported by flyfish101