FERRAMENTAS LINUX: How to Fix the Aqualung Audio Player Out-of-Bounds Read (CVE-2025-61043)

Fix CVE-2025-61043 in Aqualung on Fedora/RHEL/SUSE. Commands to check vulnerability, bash automation, and iptables mitigation. Plus a no-update workaround.

Punlished: April 18, 2026

Affects: Music playback applications using libMAC (Monkey’s Audio Codec) on Linux

Severity: Medium – can crash your player or leak memory contents

The CVE-2025-61043 vulnerability was found in the way libMAC (Monkey’s Audio Codec version <12.63) converts UTF-8 text.

An attacker could craft a special .ape audio file that triggers an out-of-bounds read in the CAPECharacterHelper::GetUTF16FromUTF8 function.

If you play that file in Aqualung (or any other player using the same vulnerable library), the application may crash – and in rare cases, small chunks of memory could leak.

But don’t worry. This guide works today and next year – because the fix is already merged upstream, and I’ll show you how to apply it on any major distro, plus a fallback if you cannot update.

How to check if your system is vulnerable

Run these commands on your machine. Replace distro with your actual OS.

Ubuntu / Debian

# Check installed libmac version
dpkg -l | grep libmac
# If version is below 12.63, you are vulnerable.
# Check if Aqualung uses it
ldd /usr/bin/aqualung | grep mac

Rocky Linux / RHEL / AlmaLinux

# Check libmac from EPEL
rpm -qa | grep monkeys-audio
# Look for "monkeys-audio-12.63" or higher. If missing or older → vulnerable.
# Also check Aqualung dependency
dnf repoquery --deplist aqualung | grep monkeys

SUSE Linux Enterprise / openSUSE

# Check installed package
zypper search monkeys-audio
# Show version
rpm -q monkeys-audio
# Below 12.63 means vulnerable.

Quick universal check (any distro)

# Find the library
find /usr/lib* -name "*libmac*" 2>/dev/null
# Check its version strings
strings /usr/lib/x86_64-linux-gnu/libmac.so.12 | grep -i version

Automation script to apply the fix (works on Fedora, RHEL, SUSE, Ubuntu)

Save this as fix-aqualung-cve.sh and run it as root. It detects your distro and updates only the necessary packages.

#!/bin/bash
# fix-aqualung-cve.sh – Evergreen fix for CVE-2025-61043
set -e

if [ "$EUID" -ne 0 ]; then
    echo "Please run as root (use sudo)."
    exit 1
fi

# Detect distro family
if [ -f /etc/os-release ]; then
    . /etc/os-release
    OS=$ID
else
    echo "Cannot detect OS. Update libMAC to >=12.63 manually."
    exit 1
fi

case $OS in
    ubuntu|debian)
        apt update
        apt install -y monkeys-audio libmac-dev
        ;;
    fedora|rhel|centos|rocky|almalinux)
        # Enable EPEL for RHEL clones
        if [[ "$OS" != "fedora" ]]; then
            dnf install -y epel-release
        fi
        dnf update -y monkeys-audio libmac
        # If Aqualung was installed, reinstall it to ensure linking
        if dnf list installed aqualung &>/dev/null; then
            dnf reinstall -y aqualung
        fi
        ;;
    suse|opensuse-leap|opensuse-tumbleweed)
        zypper refresh
        zypper update -y monkeys-audio
        ;;
    *)
        echo "Unsupported distro. Please update libMAC to >=12.63 manually."
        exit 1
        ;;
esac

echo "Fix applied. Verify with: ldd /usr/bin/aqualung | grep mac"

Make it executable and run:

chmod +x fix-aqualung-cve.sh
sudo ./fix-aqualung-cve.sh

Alternative mitigation if you can’t update now

You cannot update libMAC? Maybe you are on an unsupported distro or the package maintainer is slow. Here are two workarounds:

1. Prevent Aqualung from loading the vulnerable library (using AppArmor or SELinux)

On Ubuntu / Debian with :

# Create a profile for Aqualung that blocks reading of .ape files from untrusted locations
sudo aa-genprof aqualung
# Then edit /etc/apparmor.d/usr.bin.aqualung and add:
# deny /home/*/Downloads/*.ape r,
# deny /tmp/*.ape r,
# Then reload: sudo aa-enforce /usr/bin/aqualung

On Fedora / Rocky Linux with :

# Put all untrusted .ape files in a specific directory and label them as unconfined
sudo semanage fcontext -a -t user_tmp_t "/home/user/Incoming(/.*)?"
sudo restorecon -R /home/user/Incoming
# Run Aqualung with a custom SELinux policy that denies read on that context

But that is complex. The easiest alternative is:

2. Use iptables to block remote .ape streams (if you stream from internet radio)

The vulnerability is triggered only when the file is decoded. If you cannot update, at least block remote .ape streams so no malicious file enters

# Block outgoing connections to known radio stations that use .ape (port 80/443)
sudo iptables -A OUTPUT -p tcp --dport 80 -m string --string ".ape" --algo bm -j DROP
sudo iptables -A OUTPUT -p tcp --dport 443 -m string --string ".ape" --algo bm -j DROP
# Make persistent (use iptables-save)

Better yet: switch to a different music player temporarily. Use , , or until you update.

Why this matter ?

Don't let the "hackers" title scare you. This is the best entry point for understanding Linux from a security perspective. The author trains US military personnel and Department of Defense contractors.

What you'll learn:

Install Kali Linux on a virtual machine (safe practice environment)

Control file and directory permissions

Cover your tracks using logging utilities

Hide your internet activity with Tor, proxies, and VPNs

Write bash and Python scripts to scan for open ports

Why it fits your situation: The book teaches you to think like an attacker – which is exactly how you need to think to defend your systems. The scripting chapters will help you customize the automation script from the guide.

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.)