CVE-2026-22695
Published: 12 January 2026
Summary
CVE-2026-22695 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Libpng Libpng. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-22695 is a heap buffer over-read vulnerability in the libpng library, a reference implementation for reading, creating, and manipulating PNG raster image files. The issue affects versions 1.6.51 through 1.6.53 and occurs in the simplified API function png_image_finish_read when processing interlaced 16-bit PNG images with an 8-bit output format and non-minimal row stride. This flaw represents a regression introduced by the fix for CVE-2025-65018 and is classified under CWE-125 (Out-of-bounds Read), with a CVSS v3.1 base score of 6.1.
An attacker with local access can exploit this vulnerability by supplying a specially crafted PNG image, requiring low attack complexity and user interaction, such as convincing a user to process the malicious file through an application linked to the affected libpng versions. No privileges are needed. Successful exploitation results in low confidentiality impact, such as limited data disclosure from the heap, and high availability impact, potentially causing application crashes or denial of service.
The libpng project addressed this vulnerability in version 1.6.54, as detailed in the associated GitHub security advisory (GHSA-mmq5-27w3-rxpp), issue tracker (#778), and fix commits (218612ddd6b17944e21eda56caf8b4bf7779d1ea and e4f7ad4ea2). Security practitioners should prioritize updating dependent applications and libraries to libpng 1.6.54 or later to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2420
Vulnerability details
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing…
more
interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malicious PNG file requires user interaction to trigger out-of-bounds read leading to crash or limited heap disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that upgrades libpng from the vulnerable 1.6.51-1.6.53 range to the fixed 1.6.54 release.
Verifies integrity and authenticity of the libpng binary or source before it is loaded, blocking use of the known-vulnerable versions.
Enables discovery of systems still running the affected libpng versions so they can be prioritized for immediate remediation.