Heap Buffer Overflow in libpng png_image_finish_read
CVE-2025-65018 is a heap buffer overflow in libpng’s simplified API read path. In libpng versions 1.6.0 through before 1.6.51, the function png_image_finish_read can write past the end of an allocated heap buffer when processing attacker-crafted 16-bit interlaced PNG images while converting to an 8-bit output format. The flaw is triggered by malformed interlaced PNG input that causes heap writes beyond allocated buffer bounds during image read/finish processing. The issue is described in related context as a malicious PNG heap overflow write associated with row-combination handling, but the specific vulnerable API identified in the provided content is png_image_finish_read. The vulnerability is fixed in libpng 1.6.51.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a Capture-The-Flag (CTF) style exploit challenge for CVE-2025-65018, a memory corruption vulnerability in libpng's simplified API when handling 16-bit interlaced PNG images. The repository contains: - A vulnerable C binary ('victim.c') that reads a PNG file ('exploit.png') into a stack-allocated buffer, followed by a Logger structure with a function pointer. - A Python script ('solve.py') that generates a malicious PNG file designed to exploit the buffer overflow and overwrite the Logger's function pointer with the address of a 'win' function, which spawns a shell. - Build scripts and a patched version of libpng to ensure the vulnerability is present. The exploit works by carefully crafting the pixel data in the PNG so that, when processed by the vulnerable libpng, it overflows the buffer and overwrites the function pointer. The attack is local, requiring the attacker to supply a crafted PNG file to the vulnerable binary. The repository is well-documented, with detailed explanations in 'Blog.md' and 'README.md', and includes automation for building and testing the exploit. No network endpoints are involved; the main fingerprintable targets are the file paths ('exploit.png', '/bin/sh') and the memory layout of the target binary.
This repository provides a proof-of-concept (PoC) exploit for CVE-2025-65018, a heap buffer overflow vulnerability in libpng as used on PlayStation 4 and PlayStation 5. The repository contains three files: a LICENSE (Apache 2.0), a README.md with usage instructions, and make_png.py, a Python script that modifies a valid PNG screenshot to create a malicious PNG file. The exploit workflow involves taking a screenshot on the PS4/PS5, transferring it to a PC, running the script to generate a crafted PNG, and then replacing the original screenshot on the console. When the crafted PNG is opened in the gallery, it triggers the vulnerability, resulting in an error or crash. The exploit does not provide remote code execution or a shell, but demonstrates the vulnerability by causing a crash. The only fingerprintable endpoint is the file path used for screenshots on the console. The code is a standalone PoC and not part of any exploit framework.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical Android Framework remote elevation-of-privilege vulnerability that requires no user interaction and no additional execution privileges.
A heap buffer overflow vulnerability in the libpng library, identified as CVE-2025-65018, with a CVSS score between 7.1 and 9.8. The vulnerability is significant due to the speed at which attackers can weaponize it, especially with AI tools, and the need for rapid remediation to reduce exposure.
A critical Android Security Bulletin vulnerability patched by Samsung in the April 2026 Security Maintenance Release.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.