The libpng library, which handles Portable Network Graphics (PNG) image files, contains three distinct vulnerabilities: CVE-2026-22801 involves integer truncation in the simplified write API leading to information disclosure and denial of service; CVE-2026-22695 is a heap buffer over-read in the png_image_finish_read function causing denial of service and information disclosure; CVE-2026-25646 is a heap buffer overflow in the png_set_quantize function. These vulnerabilities affect Red Hat Enterprise Linux 8.8 and related update services on multiple architectures. Red Hat Product Security has released updated libpng packages to remediate these issues as detailed in advisory RHSA-2026:4729. The vulnerabilities are rated with high severity but no CVSS scores are provided in the advisory.

Successful exploitation of these vulnerabilities could lead to denial of service conditions and unauthorized information disclosure on affected systems running vulnerable versions of libpng. The heap buffer overflow and buffer over-read issues may cause application crashes or memory corruption. However, there are no reports of active exploitation in the wild. The vulnerabilities affect multiple Red Hat Enterprise Linux 8.8 variants including Extended Update Support and Update Services for SAP Solutions on x86_64 and ppc64le architectures.

Red Hat has released updated libpng packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 8.8 systems should apply the security update as described in Red Hat advisory RHSA-2026:4729 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended remediation. There is no indication from the vendor advisory that additional mitigations or workarounds are required beyond installing the update.