Alpine: multiple libpng packages: security update to 1.6.53-r0

high Tenable Cloud Security Plugin ID 436287

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable
Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability
exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The
vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image
data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-
bounds memory access. This issue has been patched in version 1.6.51. (CVE-2025-64505)

- LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable
Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read
vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the
simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha,
RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter
code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue
has been patched in version 1.6.51. (CVE-2025-64506)

- LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable
Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read
vulnerability exists in png_image_read_composite when processing palette images with
PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly
applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257
required by the simplified PNG API. This issue has been patched in version 1.6.51. (CVE-2025-64720)

- LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable
Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow
vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit
interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond
allocated buffer bounds. This issue has been patched in version 1.6.51. (CVE-2025-65018)

- LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable
Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's
simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid
palette PNG images with partial transparency and gamma correction. The PNG files that trigger this
vulnerability are valid per the PNG specification; the bug is in libpng's internal state management.
Upgrade to libpng 1.6.52 or later. (CVE-2025-66293)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-64505

https://security.alpinelinux.org/vuln/CVE-2025-64506

https://security.alpinelinux.org/vuln/CVE-2025-64720

https://security.alpinelinux.org/vuln/CVE-2025-65018

https://security.alpinelinux.org/vuln/CVE-2025-66293

Plugin Details

Severity: High

ID: 436287

Version: Revision 1.5

Type: Local

Published: 12/8/2025

Updated: 7/7/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.66

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C

CVSS Score Source: CVE-2025-66293

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/24/2025

Reference Information

CVE: CVE-2025-64505, CVE-2025-64506, CVE-2025-64720, CVE-2025-65018, CVE-2025-66293