Critical libpng Out-of-Bounds Read Vulnerability (CVE-2025-66293) Affects RHEL 9 Java Package

A critical out-of-bounds read vulnerability in the libpng library, tracked as CVE-2025-66293, exposes systems to potential data leakage and instability. The flaw resides in libpng's simplified API and allows an attacker to read up to 1012 bytes of memory beyond the bounds of a fixed-size internal array. Crucially, the vulnerability is triggered by processing valid, specification-compliant PNG images that use a palette with partial transparency and gamma correction, making malicious files difficult to distinguish from benign ones. The bug stems from faulty internal state management within libpng versions prior to 1.6.52.

The vulnerability directly impacts the `java-17-openjdk-headless` package on Red Hat Enterprise Linux 9 (RHEL 9). While the upstream `java-17-openjdk-headless` package from OpenJDK is vulnerable, the critical issue is that, as of this advisory, **there is no fixed version available for the `java-17-openjdk-headless` package as distributed by RHEL**. This creates a significant exposure window for any RHEL 9 system relying on this Java package to process PNG images, a common task in many applications and web services.

This situation places immediate pressure on RHEL 9 administrators and security teams. They must implement alternative mitigation strategies—such as restricting PNG processing from untrusted sources—while awaiting an official patch from Red Hat. The vulnerability's presence in a core library used by a fundamental runtime like Java amplifies the risk, potentially affecting a wide range of enterprise applications, data processing pipelines, and services that handle image data. The lack of a readily available fix for a supported enterprise platform signals a pressing need for heightened scrutiny of image-handling components in critical infrastructure.