CVE-2026-22695 is a heap buffer over-read vulnerability classified under CWE-125, affecting the widely used libpng library, specifically versions 1.6.51 through 1.6.53. Libpng is a fundamental library for reading, creating, and manipulating PNG raster image files, integrated into numerous applications and systems globally. The vulnerability arises in the simplified API function png_image_finish_read when handling interlaced 16-bit PNG images that are converted to an 8-bit output format with a non-minimal row stride. This specific combination triggers a regression bug introduced by the prior fix for CVE-2025-65018, causing the function to read beyond the allocated heap buffer. Such an out-of-bounds read can lead to application instability or crashes, effectively resulting in a denial-of-service (DoS) condition. The vulnerability requires local access (attack vector: local) and user interaction (UI required), with low attack complexity and no privileges required. There are no known exploits in the wild as of the publication date. The issue is resolved in libpng version 1.6.54, and users are advised to upgrade to this or later versions to remediate the vulnerability.

For European organizations, the primary impact of CVE-2026-22695 is the potential for denial-of-service conditions in applications that rely on vulnerable versions of libpng for image processing or rendering. This could affect software handling PNG images, including web browsers, graphic design tools, content management systems, and any custom or embedded applications that process PNG files. A successful exploit could cause application crashes, leading to service interruptions or degraded user experience. Although the vulnerability does not directly compromise confidentiality or integrity, disruption of critical services or automated image processing pipelines could have operational and reputational consequences. Organizations in sectors such as media, publishing, software development, and any industry using image-intensive applications should be particularly vigilant. Since exploitation requires local access and user interaction, the risk of remote exploitation is low, but insider threats or social engineering could be vectors. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for proactive mitigation.

European organizations should prioritize updating libpng to version 1.6.54 or later to eliminate this vulnerability. For environments where immediate patching is not feasible, implement strict controls on user privileges to limit local access and reduce the risk of exploitation. Employ application whitelisting and sandboxing for software that processes PNG images to contain potential crashes and prevent escalation. Monitor logs and application behavior for unusual crashes or instability related to image processing. Conduct thorough testing of image handling workflows to identify and isolate vulnerable components. Additionally, educate users on the risks of opening untrusted PNG files, especially in environments where user interaction is required for exploitation. For custom or embedded systems using libpng, coordinate with vendors or development teams to ensure timely updates and consider temporary mitigations such as disabling processing of interlaced 16-bit PNGs with 8-bit output if feasible.