Critical libpng Out-of-Bounds Read Vulnerability (CVE-2025-66293) Affects RHEL 9 Java Package

A critical out-of-bounds read vulnerability in the libpng library, tracked as CVE-2025-66293, exposes systems to potential data leakage. The flaw resides in libpng's simplified API and allows attackers to read up to 1012 bytes of memory beyond the bounds of a specific internal array. Crucially, this vulnerability can be triggered by processing valid, standard-compliant PNG images that use a palette with partial transparency and gamma correction, making malicious files difficult to distinguish from benign ones. The bug is a result of faulty internal state management within libpng versions prior to 1.6.52.

The vulnerability directly impacts the `java-17-openjdk-headless` package on Red Hat Enterprise Linux (RHEL) 9 systems. While the upstream `java-17-openjdk-headless` package from OpenJDK is vulnerable, the critical issue is that, as of this advisory, there is **no fixed version available for the `java-17-openjdk-headless` package as distributed by RHEL**. This creates a significant exposure window for RHEL 9 deployments relying on this Java package, as the standard remediation path—upgrading libpng to version 1.6.52 or later—is not currently available through the official RHEL channels for this specific component.

This situation places pressure on Red Hat to provide a patched package and forces system administrators into a risk management dilemma. Applications or services that use the affected Java package to process PNG images—a common task in web applications, document processing, or image manipulation tools—could be exploited to leak sensitive memory contents. Organizations must monitor for an official RHEL update while assessing the risk profile of their Java-dependent services and considering potential workarounds or heightened monitoring for anomalous PNG processing activity.