Critical Heap Buffer Overflow Vulnerability in Fedora's libpng Packages
Severity: High (Score: 72.0)
Sources: Linuxsecurity
Published: · Updated:
Keywords: libpng, version, fedora, libpng12, heap, overflow, cve-2026
Severity indicators: heap overflow
Summary
Two vulnerabilities have been identified in the libpng library affecting Fedora 42. The first, CVE-2026-25646, is a heap buffer overflow in the libpng12 package (version 1.2.57-25) and the second affects the libpng15 package (version 1.5.30-25). Both vulnerabilities allow for potential exploitation through the png_set_quantize function, which could lead to arbitrary code execution. Users of Fedora 42 are advised to update their systems to mitigate the risk. The vulnerabilities were published on February 10, 2026, and patches are available via the dnf update program. Fedora's security team has issued advisories for both packages, urging immediate action. The issues primarily affect users who rely on these older versions of the libpng library for image processing. Key Points: • CVE-2026-25646 affects both libpng12 and libpng15 packages in Fedora 42. • Heap buffer overflow could lead to arbitrary code execution. • Users are urged to update their systems immediately using dnf.
Detailed Analysis
**Impact** Users of Fedora 42 and 43 running older versions of libpng (1.2 and 1.5) are affected by a heap buffer overflow vulnerability. This impacts systems processing PNG image files using these legacy libraries, potentially leading to application crashes or arbitrary code execution. No specific sectors, geographic regions, or data compromise details are provided in the sources. **Technical Details** The vulnerability (CVE-2026-25646) is a heap buffer overflow in the function `png_set_quantize` within libpng versions 1.2 and 1.5. The attack vector involves processing crafted PNG files to trigger the overflow. No malware, tools, or infrastructure details are mentioned. The vulnerability affects Fedora 42 and 43 packages and relates to the exploitation phase of the kill chain. **Recommended Response** Apply the Fedora security updates released on April 1, 2026, using the dnf upgrade advisories FEDORA-2026-1bf9e14627 for libpng12 and FEDORA-2026-4e514c1c36 for libpng15. Use the command `su -c 'dnf upgrade --advisory <advisory_id>'` to patch affected systems immediately. Monitor for abnormal PNG file processing and application crashes related to image handling. No additional IOCs or detection rules are provided.
Source articles (3)
- Fedora 42 libpng12 Important Heap Overflow Fix CVE-2026 — Linuxsecurity · 2026-04-10
The libpng12 package provides libpng 1.2, an older version of the libpng library for manipulating PNG (Portable Network Graphics) image format files. This version should be used only if you are unable… - Fedora 42 libpng15 Critical Heap Buffer Overflow Fix CVE-2026 — Linuxsecurity · 2026-04-10
The libpng15 package provides libpng 1.5, an older version of the libpng. library for manipulating PNG (Portable Network Graphics) image format files. This version should be used only if you are unabl… - Fedora 43 libpng High Use-after-Free DoS Vuln 2026 — Linuxsecurity · 2026-04-13
The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. PNG is a bit-mapped graphics format similar to the GIF format. PNG…
Timeline
- 2026-02-10 — CVE-2026-25646 published
- 2026-04-01 — Patches for libpng12 and libpng15 released
- 2026-04-10 — Articles published detailing vulnerabilities and patches