CVE-2026-22695 is a heap buffer over-read vulnerability identified in the libpng library, versions 1.6.51 through 1.6.53. Libpng is widely used for reading, creating, and manipulating PNG image files across numerous applications. The vulnerability resides in the simplified API function png_image_finish_read, which is responsible for finalizing the reading of PNG images. Specifically, the issue occurs when processing interlaced 16-bit PNG images that are output in 8-bit format with a non-minimal row stride, leading to an out-of-bounds read on the heap. This flaw is a regression introduced by the fix for a previous vulnerability (CVE-2025-65018). The heap buffer over-read can cause application instability, crashes, or denial of service conditions. The CVSS v3.1 score is 6.1 (medium severity), reflecting that exploitation requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), but user interaction (UI:R) is necessary. The impact primarily affects availability (A:H) with limited confidentiality impact (C:L) and no integrity impact (I:N). No known exploits are currently reported in the wild. The vulnerability is resolved in libpng version 1.6.54. Given libpng's extensive use in image processing software, browsers, and other applications, this vulnerability could affect a broad range of software stacks that handle PNG images.

For European organizations, the primary impact of CVE-2026-22695 is the potential for denial of service or application crashes when processing maliciously crafted PNG images. This can disrupt services that rely on image processing, such as content management systems, media platforms, and software development environments. Confidentiality impact is low, so data leakage is unlikely. However, availability disruptions can affect user experience and operational continuity, especially in sectors like media, publishing, and software development. Organizations that allow users to upload or process PNG images locally or on internal systems are at risk if they use vulnerable libpng versions. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk from insider threats or compromised endpoints. The regression nature of this vulnerability also highlights the importance of thorough testing after patch application. Failure to update may expose European enterprises to stability issues and potential targeted denial of service attacks.

European organizations should prioritize updating libpng to version 1.6.54 or later to remediate this vulnerability. Where immediate patching is not feasible, organizations should implement strict input validation and sanitization for PNG files, especially those uploaded or processed by users. Employ sandboxing or isolation techniques for applications handling untrusted PNG images to limit the impact of potential crashes. Monitoring application logs for abnormal crashes related to image processing can help detect exploitation attempts. Additionally, organizations should review and enhance their software supply chain security to ensure that dependencies like libpng are regularly audited and updated. For software developers, integrating fuzz testing and regression testing focused on image processing functions can prevent similar regressions. Finally, educating users about the risks of opening untrusted image files can reduce the likelihood of exploitation via social engineering.