CVE-2025-28162 is a buffer overflow vulnerability identified in libpng versions 1.6.43 to 1.6.46, a widely used open-source library for handling PNG image files. The flaw arises when libpng processes specially crafted PNG images under AddressSanitizer (ASan), a memory error detector commonly used during software testing and debugging. The vulnerability causes memory leaks in multiple locations, leading to excessive memory consumption and eventually causing the affected program to become unresponsive or crash, resulting in a denial of service (DoS). This issue is exploitable by a local attacker with low privileges (PR:L) and does not require user interaction (UI:N). The attack vector is local, meaning remote exploitation is not feasible without prior access. The vulnerability is classified under CWE-120 (Classic Buffer Overflow), indicating improper handling of memory buffers. Although the CVSS score is 5.5 (medium severity), the impact is limited to availability, with no confidentiality or integrity compromise. No patches or known exploits are currently available, emphasizing the need for proactive mitigation. The vulnerability primarily affects development and testing environments where ASan is enabled, but could also impact production systems if ASan is used for runtime checks.

For European organizations, the primary impact of CVE-2025-28162 is denial of service due to high memory usage and application unresponsiveness when processing malicious PNG images locally. This can disrupt software development workflows, automated image processing pipelines, or any local applications relying on vulnerable libpng versions with ASan enabled. While the vulnerability does not expose sensitive data or allow code execution, service availability degradation can affect productivity and operational continuity. Industries such as software development, digital media, and any sectors using image processing tools are at risk. The local attack vector limits exposure, but insider threats or compromised user accounts could exploit this vulnerability. The lack of known exploits reduces immediate risk, but the medium severity score and potential for DoS warrant timely remediation to avoid operational disruptions.

European organizations should take the following specific mitigation steps: 1) Identify and inventory all systems and applications using libpng versions 1.6.43 to 1.6.46, especially those with AddressSanitizer enabled. 2) Apply patches or upgrade libpng to versions beyond 1.6.46 once available from trusted sources. 3) Restrict local user permissions to prevent untrusted users from executing or providing malicious PNG files to vulnerable applications. 4) Disable AddressSanitizer in production environments unless explicitly required, as it increases exposure to this vulnerability. 5) Implement monitoring for abnormal memory usage patterns in applications processing PNG images to detect potential exploitation attempts. 6) Educate developers and system administrators about the risks of running ASan-enabled binaries in production. 7) Use application whitelisting and file integrity monitoring to prevent unauthorized PNG files from being processed. These targeted actions go beyond generic advice by focusing on the specific conditions that enable exploitation.