The libpng library in Red Hat Enterprise Linux 8.6 contains three security vulnerabilities: a buffer overflow (CVE-2025-64720), a heap buffer overflow (CVE-2025-65018), and an out-of-bounds read vulnerability in the png_image_read_composite function (CVE-2025-66293). These issues are related to improper handling of PNG image data leading to memory corruption or invalid memory access. Red Hat Product Security has rated the update as Important and has released patched libpng packages to remediate these vulnerabilities. The advisory references specific bugzilla entries and provides package details for the fixed versions. The vulnerabilities are categorized under CWE-125 (out-of-bounds read) and CWE-787 (out-of-bounds write). No CVSS scores are provided in the advisory, and no active exploitation has been reported.

Successful exploitation of these vulnerabilities could lead to memory corruption, potentially causing application crashes or enabling an attacker to execute arbitrary code within the context of the affected application processing PNG files. The impact is considered high due to the nature of buffer overflows and out-of-bounds reads, which can undermine system stability and security. However, no known exploits in the wild have been reported, and the vulnerabilities affect libpng usage in Red Hat Enterprise Linux 8.6 variants.

Red Hat has released updated libpng packages for Red Hat Enterprise Linux 8.6 variants that address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2026:0322 and the referenced article https://access.redhat.com/articles/11258. Applying the official patch is the recommended and effective mitigation. There is no indication from the vendor advisory that additional or alternative mitigations are required.