CVE-2025-65018 – a heap buffer overflow in libpng – hit on November 24, 2025. CVSS scores up to 9.8. libpng ships by default in Debian Bullseye, Bookworm, and Trixie, meaning millions of container images pulled daily carry this vulnerability until patched.