Critical Heap Buffer Overflow in RHEL 9 Java Package (CVE-2025-65018) - Libpng Vulnerability Patched

A critical heap buffer overflow vulnerability, tracked as CVE-2025-65018, has been patched in the `java-17-openjdk-headless` package for Red Hat Enterprise Linux 9. The flaw originates in the upstream libpng library, a core component for processing PNG image files. Specifically, versions 1.6.0 through 1.6.50 of libpng contain a defect in the `png_image_finish_read` function within its simplified API. When processing specially crafted 16-bit interlaced PNG images for output in an 8-bit format, the function performs heap writes that exceed the bounds of the allocated memory buffer, leading to a potential out-of-bounds write condition.

This vulnerability is embedded within the Java runtime environment distributed for RHEL 9. The risk is that an attacker could exploit this flaw by supplying a malicious PNG file to an application using the vulnerable libpng code path through Java. Successful exploitation could lead to application crashes, denial of service, or potentially arbitrary code execution, depending on how the corrupted heap memory is leveraged. The issue is not inherent to Red Hat's packaging but stems from the upstream libpng library version shipped with the affected Java package.

Red Hat has addressed the vulnerability in `RHSA-2026:0927`. The remediation requires users and system administrators to upgrade their `RHEL:9` `java-17-openjdk-headless` package to version `1:17.0.18.0.8-1.el9` or later. This update incorporates the libpng fix from version 1.6.51. Organizations running Java applications on RHEL 9 that process external image data should prioritize this update to mitigate the risk of exploitation, which could compromise system stability and security.