SUSE-SU-2026:2619-1
Vulnerability from csaf_suse - Published: 2026-06-24 09:03 - Updated: 2026-06-24 09:03Summary
Security update for libpng15
Severity
Moderate
Notes
Title of the patch: Security update for libpng15
Description of the patch: This update for libpng15 fixes the following issues
Security issues:
- CVE-2025-64720: buffer overflow in `png_image_read_composite` via incorrect palette premultiplication (bsc#1254159).
Non security issue:
- version update to 1.5.30 (jsc#PED-16191).
Changes for libpng15:
- Replaced 'unexpected' with an integer in pngset.c where a long was
expected, to avoid a compiler warning when PNG_DEBUG > 1.
- Fix typecast in a png_debug2() statement in png_set_text_2() to
avoid a compiler warning in PNG_DEBUG builds.
- Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.
- Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
report from Christopher Ferris).
- Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the
compiled library size. It never worked properly and as far as we can
tell, no one uses it. The png_set_filter_heuristics() and
png_set_filter_heuristics_fixed() APIs are retained but deprecated
and do nothing.
- Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and
PNG_WEIGHT_FACTOR macros.
- Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
- Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
- Fixed some bad links in the man page.
- Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
Seacord).
- Fixed the recently reported 1's complement security issue by replacing
the value that is illegal in the PNG spec, in both signed and unsigned
values, with 0. Illegal unsigned values (anything greater than or equal
to 0x80000000) can still pass through, but since these are not illegal
in ANSI-C (unlike 0x80000000 in the signed case) the checking that
occurs later can catch them (John Bowler).
- Fixed png_save_int_32 when int is not 2's complement (John Bowler).
- Fixed byte order in png_do_read_filler() with 16-bit input (previously
fixed in libpng-1.6.17 and 1.7.0beta46). Previously the high and
low bytes of the filler, from png_set_filler() or from
png_set_add_alpha(), were read in the wrong order.
- Merged pngvalid.c with version 1.6.19.
- Added sPLT support to pngtest.c
- Prevent writing over-length PLTE chunk (Cosmin Truta).
- Libpng incorrectly calculated the output rowbytes when the application
decreased either the number of channels or the bit depth (or both) in
a user transform. This was safe; libpng overallocated buffer space
(potentially by quite a lot; up to 4 times the amount required) but,
from 1.5.4 on, resulted in a png_error (John Bowler).
- Silently truncate over-length PLTE chunk while reading.
- Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed().
- Clarified COPYRIGHT information to state explicitly that versions
are derived from previous versions.
Removed much of the long list of previous versions from png.h and
libpng.3.
- Fixed new bug with CRC error after reading an over-length palette
(bug report by Cosmin Truta) (CVE-2015-8126).
- Cleaned up coding style in png_handle_PLTE().
- Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
- Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
vulnerability. Fixes CVE-2015-8472.
- Fixed an out-of-range read in png_check_keyword() (Bug report from
- Qixue Xiao, CVE-2015-8540).
- Corrected copyright dates in source files.
- Moved png_check_keyword() from pngwutil.c to pngset.c
- Added keyword checks to pngset.c (John Bowler).
- Removed LE/BE dependencies in pngvalid, to 'fix' the current problem
in the BigEndian tests by not testing it, making the BE code the same
as the LE version.
- Fixes to pngvalid for various reduced build configurations (eliminate unused
statics) and a fix for the case in rgb_to_gray when the digitize option
reduces graylo to 0, producing a large error.
- Widened the 'limit' check on the internally calculated error limits in
the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error
checks) and changed the check to only operate in non-release builds
(base build type not RC or RELEASE.)
- Fixed undefined behavior in pngvalid.c, undefined because
(png_byte) << shift is undefined if it changes the signed bit
(because png_byte is promoted to int). The libpng exported functions
png_get_uint_32 and png_get_uint_16 handle this. (Bug reported by
David Drysdale as a result of reports from UBSAN in clang 3.8).
This changes pngvalid to use BE random numbers; this used to produce
errors but these should not be fixed as a result of the previous changes.
In projects/vstudio, combined readme.txt and WARNING into README.txt
Worked around a false-positive Coverity issue in pngvalid.c.
Only use exit(77) from pngvalid.c in configure builds.
- Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in
and test.cmake.in (Roger Leigh).
- Added a common-law trademark notice and export control information
to the LICENSE file, png.h, and the man page.
- Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h
(Robert C. Seacord).
- Fixed some misleading indentation in pngvalid.c (Krishnaraj Bhat).
- Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED
Bug report by (Y.Ohashik).
- Added PNG_FAST_FILTERS macro (defined as
PNG_FILTER_NONE|PNG_FILTER_SUB|PNG_FILTER_UP).
- Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim,
pngminus
- Fixed undefined behavior in png_push_save_buffer(). Do not call
memcpy() with a null source, even if count is zero (Leon Scroggins III).
- Added 'Common linking failures' section to INSTALL.
- Merge contrib/pngminim/*/makefile with libpng-1.6.24
- Minor editing of INSTALL, (whitespace, added copyright line)
- Removed the use of a macro containing the pre-processor 'defined'
operator. It is unclear whether this is valid; a macro that
'generates' 'defined' is not permitted, but the use of the word
'generates' within the C90 standard seems to imply more than simple
substitution of an expression itself containing a well-formed defined
operation.
Previously the pngtrans.c code always resulted in an unsigned arithmetic
overflow. This is well defined but produces errors from clang with the
option to detect unsigned overflow. As the expression only gets
evaluated once per row in this version of libpng it is easier just
to rewrite it.
- The previous version of png.c produced a signed overflow as a result of
both the '& 0xffff' on the most significant bits of a negative argument;
this converted (-1) into 65535 which resulted in a subsequent overflow.
Since signed overflow is undefined in C90 the code has been modified to
correctly calculate a signed result. This requires changing the 'hi'
result parameter to a signed value.
This has been code reviewed solely by the author. A further code review
is highly desireable. Nevertheless the code compiles without warnings
from clang and without the prior detection of an overflow. Since it no
longer truncates any of the intermediate values this should be enough to
ensure that it is correct.
- Fixed a potential null pointer dereference in png_set_text_2() (bug report
and patch by Patrick Keshishian, CVE-2016-10087).
- Suppress clang warnings about implicit sign changes in png.c
- Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
- Added missing '$(CPPFLAGS)' to the compile line for c.pic.o in
makefile.linux and makefile.solaris-x86 (Cosmin).
Silence clang -Wcomma warnings (Viktor Szakats).
- Update Sourceforge URLs in documentation (https instead of http).
- Added png_check_chunk_length() function (Fixes CVE-2017-12652).
- Moved chunk-name and chunk-length checks into PNG_EXTERN private
png_check_chunk_name() and png_check_chunk_length() functions
(Suggested by Max Stepin).
- Merged pngtest.c with libpng-1.6.32.
- Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop
some Coverity issues (162705, 162706, and 162707).
Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
- Fixed off-by-one error in png_do_check_palette_indexes() (Bug report
by Mick P., Source Forge Issue #269).
- Compute a larger limit on IDAT because some applications write a deflate
buffer for each row (Bug report by Andrew Church).
- Fixed incorrect typecast of some arguments to png_malloc() and
png_calloc() that were png_uint_32 instead of png_alloc_size_t
(Bug report by 'irwir' in Github libpng issue #175).
- Initialize memory allocated by png_inflate to zero, using memset, to
stop an oss-fuzz 'use of uninitialized value' detection in png_set_text_2()
due to truncated iTXt or zTXt chunk.
Patchnames: SUSE-2026-2619,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-2619
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpng15-15-1.5.30-10.13.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for libpng15",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for libpng15 fixes the following issues\n\nSecurity issues:\n\n- CVE-2025-64720: buffer overflow in `png_image_read_composite` via incorrect palette premultiplication (bsc#1254159).\n\nNon security issue:\n\n- version update to 1.5.30 (jsc#PED-16191).\n\nChanges for libpng15:\n\n- Replaced \u0027unexpected\u0027 with an integer in pngset.c where a long was\n expected, to avoid a compiler warning when PNG_DEBUG \u003e 1.\n- Fix typecast in a png_debug2() statement in png_set_text_2() to\n avoid a compiler warning in PNG_DEBUG builds.\n- Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.\n- Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug\n report from Christopher Ferris).\n- Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the\n compiled library size. It never worked properly and as far as we can\n tell, no one uses it. The png_set_filter_heuristics() and\n png_set_filter_heuristics_fixed() APIs are retained but deprecated\n and do nothing.\n- Avoid potentially dereferencing NULL info_ptr in png_info_init_3().\n Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and\n PNG_WEIGHT_FACTOR macros.\n- Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c\n- Fixed uninitialized variable in contrib/gregbook/rpng2-x.c\n- Fixed some bad links in the man page.\n- Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert\n Seacord).\n- Fixed the recently reported 1\u0027s complement security issue by replacing\n the value that is illegal in the PNG spec, in both signed and unsigned\n values, with 0. Illegal unsigned values (anything greater than or equal\n to 0x80000000) can still pass through, but since these are not illegal\n in ANSI-C (unlike 0x80000000 in the signed case) the checking that\n occurs later can catch them (John Bowler).\n- Fixed png_save_int_32 when int is not 2\u0027s complement (John Bowler).\n- Fixed byte order in png_do_read_filler() with 16-bit input (previously\n fixed in libpng-1.6.17 and 1.7.0beta46). Previously the high and\n low bytes of the filler, from png_set_filler() or from\n png_set_add_alpha(), were read in the wrong order.\n- Merged pngvalid.c with version 1.6.19.\n- Added sPLT support to pngtest.c\n- Prevent writing over-length PLTE chunk (Cosmin Truta).\n- Libpng incorrectly calculated the output rowbytes when the application\n decreased either the number of channels or the bit depth (or both) in\n a user transform. This was safe; libpng overallocated buffer space\n (potentially by quite a lot; up to 4 times the amount required) but,\n from 1.5.4 on, resulted in a png_error (John Bowler).\n- Silently truncate over-length PLTE chunk while reading.\n- Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed().\n- Clarified COPYRIGHT information to state explicitly that versions\n are derived from previous versions.\n Removed much of the long list of previous versions from png.h and\n libpng.3.\n- Fixed new bug with CRC error after reading an over-length palette\n (bug report by Cosmin Truta) (CVE-2015-8126).\n- Cleaned up coding style in png_handle_PLTE().\n- Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),\n png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).\n- Fixed incorrect implementation of png_set_PLTE() that uses png_ptr\n not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126\n vulnerability. Fixes CVE-2015-8472.\n- Fixed an out-of-range read in png_check_keyword() (Bug report from\n- Qixue Xiao, CVE-2015-8540).\n- Corrected copyright dates in source files.\n- Moved png_check_keyword() from pngwutil.c to pngset.c\n- Added keyword checks to pngset.c (John Bowler).\n- Removed LE/BE dependencies in pngvalid, to \u0027fix\u0027 the current problem\n in the BigEndian tests by not testing it, making the BE code the same\n as the LE version.\n- Fixes to pngvalid for various reduced build configurations (eliminate unused\n statics) and a fix for the case in rgb_to_gray when the digitize option\n reduces graylo to 0, producing a large error.\n- Widened the \u0027limit\u0027 check on the internally calculated error limits in\n the \u0027DIGITIZE\u0027 case (the code used prior to 1.7 for rgb_to_gray error\n checks) and changed the check to only operate in non-release builds\n (base build type not RC or RELEASE.)\n- Fixed undefined behavior in pngvalid.c, undefined because\n (png_byte) \u003c\u003c shift is undefined if it changes the signed bit\n (because png_byte is promoted to int). The libpng exported functions\n png_get_uint_32 and png_get_uint_16 handle this. (Bug reported by\n David Drysdale as a result of reports from UBSAN in clang 3.8).\n This changes pngvalid to use BE random numbers; this used to produce\n errors but these should not be fixed as a result of the previous changes.\n In projects/vstudio, combined readme.txt and WARNING into README.txt\n Worked around a false-positive Coverity issue in pngvalid.c.\n Only use exit(77) from pngvalid.c in configure builds.\n- Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in\n and test.cmake.in (Roger Leigh).\n- Added a common-law trademark notice and export control information\n to the LICENSE file, png.h, and the man page.\n- Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h\n (Robert C. Seacord).\n- Fixed some misleading indentation in pngvalid.c (Krishnaraj Bhat).\n- Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED\n Bug report by (Y.Ohashik).\n- Added PNG_FAST_FILTERS macro (defined as\n PNG_FILTER_NONE|PNG_FILTER_SUB|PNG_FILTER_UP).\n- Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim,\n pngminus\n- Fixed undefined behavior in png_push_save_buffer(). Do not call\n memcpy() with a null source, even if count is zero (Leon Scroggins III).\n- Added \u0027Common linking failures\u0027 section to INSTALL.\n- Merge contrib/pngminim/*/makefile with libpng-1.6.24\n- Minor editing of INSTALL, (whitespace, added copyright line)\n- Removed the use of a macro containing the pre-processor \u0027defined\u0027\n operator. It is unclear whether this is valid; a macro that\n \u0027generates\u0027 \u0027defined\u0027 is not permitted, but the use of the word\n \u0027generates\u0027 within the C90 standard seems to imply more than simple\n substitution of an expression itself containing a well-formed defined\n operation.\n Previously the pngtrans.c code always resulted in an unsigned arithmetic\n overflow. This is well defined but produces errors from clang with the\n option to detect unsigned overflow. As the expression only gets\n evaluated once per row in this version of libpng it is easier just\n to rewrite it.\n- The previous version of png.c produced a signed overflow as a result of\n both the \u0027\u0026 0xffff\u0027 on the most significant bits of a negative argument;\n this converted (-1) into 65535 which resulted in a subsequent overflow.\n Since signed overflow is undefined in C90 the code has been modified to\n correctly calculate a signed result. This requires changing the \u0027hi\u0027\n result parameter to a signed value.\n This has been code reviewed solely by the author. A further code review\n is highly desireable. Nevertheless the code compiles without warnings\n from clang and without the prior detection of an overflow. Since it no\n longer truncates any of the intermediate values this should be enough to\n ensure that it is correct.\n- Fixed a potential null pointer dereference in png_set_text_2() (bug report\n and patch by Patrick Keshishian, CVE-2016-10087).\n- Suppress clang warnings about implicit sign changes in png.c\n- Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).\n- Added missing \u0027$(CPPFLAGS)\u0027 to the compile line for c.pic.o in\n makefile.linux and makefile.solaris-x86 (Cosmin).\n Silence clang -Wcomma warnings (Viktor Szakats).\n- Update Sourceforge URLs in documentation (https instead of http).\n- Added png_check_chunk_length() function (Fixes CVE-2017-12652).\n- Moved chunk-name and chunk-length checks into PNG_EXTERN private\n png_check_chunk_name() and png_check_chunk_length() functions\n (Suggested by Max Stepin).\n- Merged pngtest.c with libpng-1.6.32.\n- Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop\n some Coverity issues (162705, 162706, and 162707).\n Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing\n parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).\n- Fixed off-by-one error in png_do_check_palette_indexes() (Bug report\n by Mick P., Source Forge Issue #269).\n- Compute a larger limit on IDAT because some applications write a deflate\n buffer for each row (Bug report by Andrew Church).\n- Fixed incorrect typecast of some arguments to png_malloc() and\n png_calloc() that were png_uint_32 instead of png_alloc_size_t\n (Bug report by \u0027irwir\u0027 in Github libpng issue #175).\n- Initialize memory allocated by png_inflate to zero, using memset, to\n stop an oss-fuzz \u0027use of uninitialized value\u0027 detection in png_set_text_2()\n due to truncated iTXt or zTXt chunk.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-2619,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-2619",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_2619-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:2619-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262619-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:2619-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047603.html"
},
{
"category": "self",
"summary": "SUSE Bug 1254159",
"url": "https://bugzilla.suse.com/1254159"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64720 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64720/"
}
],
"title": "Security update for libpng15",
"tracking": {
"current_release_date": "2026-06-24T09:03:55Z",
"generator": {
"date": "2026-06-24T09:03:55Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:2619-1",
"initial_release_date": "2026-06-24T09:03:55Z",
"revision_history": [
{
"date": "2026-06-24T09:03:55Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libpng15-15-1.5.30-10.13.1.aarch64",
"product": {
"name": "libpng15-15-1.5.30-10.13.1.aarch64",
"product_id": "libpng15-15-1.5.30-10.13.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libpng15-15-64bit-1.5.30-10.13.1.aarch64_ilp32",
"product": {
"name": "libpng15-15-64bit-1.5.30-10.13.1.aarch64_ilp32",
"product_id": "libpng15-15-64bit-1.5.30-10.13.1.aarch64_ilp32"
}
}
],
"category": "architecture",
"name": "aarch64_ilp32"
},
{
"branches": [
{
"category": "product_version",
"name": "libpng15-15-1.5.30-10.13.1.i586",
"product": {
"name": "libpng15-15-1.5.30-10.13.1.i586",
"product_id": "libpng15-15-1.5.30-10.13.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "libpng15-15-1.5.30-10.13.1.ppc64le",
"product": {
"name": "libpng15-15-1.5.30-10.13.1.ppc64le",
"product_id": "libpng15-15-1.5.30-10.13.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "libpng15-15-1.5.30-10.13.1.s390",
"product": {
"name": "libpng15-15-1.5.30-10.13.1.s390",
"product_id": "libpng15-15-1.5.30-10.13.1.s390"
}
}
],
"category": "architecture",
"name": "s390"
},
{
"branches": [
{
"category": "product_version",
"name": "libpng15-15-1.5.30-10.13.1.s390x",
"product": {
"name": "libpng15-15-1.5.30-10.13.1.s390x",
"product_id": "libpng15-15-1.5.30-10.13.1.s390x"
}
},
{
"category": "product_version",
"name": "libpng15-15-32bit-1.5.30-10.13.1.s390x",
"product": {
"name": "libpng15-15-32bit-1.5.30-10.13.1.s390x",
"product_id": "libpng15-15-32bit-1.5.30-10.13.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "libpng15-15-1.5.30-10.13.1.x86_64",
"product": {
"name": "libpng15-15-1.5.30-10.13.1.x86_64",
"product_id": "libpng15-15-1.5.30-10.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "libpng15-15-32bit-1.5.30-10.13.1.x86_64",
"product": {
"name": "libpng15-15-32bit-1.5.30-10.13.1.x86_64",
"product_id": "libpng15-15-32bit-1.5.30-10.13.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss-extended-security:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libpng15-15-1.5.30-10.13.1.x86_64 as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpng15-15-1.5.30-10.13.1.x86_64"
},
"product_reference": "libpng15-15-1.5.30-10.13.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-64720",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64720"
}
],
"notes": [
{
"category": "general",
"text": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component \u2264 alpha x 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpng15-15-1.5.30-10.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64720",
"url": "https://www.suse.com/security/cve/CVE-2025-64720"
},
{
"category": "external",
"summary": "SUSE Bug 1254159 for CVE-2025-64720",
"url": "https://bugzilla.suse.com/1254159"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpng15-15-1.5.30-10.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpng15-15-1.5.30-10.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-24T09:03:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-64720"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…