The libpng library, which handles Portable Network Graphics (PNG) image files, contains three distinct security vulnerabilities: a buffer overflow (CVE-2025-64720), a heap buffer overflow (CVE-2025-65018), and an out-of-bounds read vulnerability in the png_image_read_composite function (CVE-2025-66293). These issues are categorized under CWE-125 (out-of-bounds read) and CWE-787 (out-of-bounds write). Red Hat Product Security has released updated libpng packages for Red Hat Enterprise Linux 9.0 and related variants to address these vulnerabilities. The advisory classifies the security impact as Important (high severity) and directs users to apply the provided updates. No CVSS scores are provided in the advisory, and no exploits have been observed in the wild.

The vulnerabilities involve memory corruption issues (buffer overflows and out-of-bounds reads) in libpng, which could lead to potential security risks such as application crashes or arbitrary code execution if exploited. However, there are no known active exploits in the wild. The impact is rated as Important by Red Hat, indicating a high severity level that warrants prompt attention. Systems running affected versions of Red Hat Enterprise Linux 9.0 and using libpng are at risk until updated packages are applied.

Red Hat has released updated libpng packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 9.0 versions should apply the security updates as detailed in Red Hat advisory RHSA-2026:0234 and the referenced article https://access.redhat.com/articles/11258. Since this is not a cloud service, remediation depends on applying these official patches. There are no indications from the vendor advisory that no action is required or that the issue is already mitigated without patching.