FERRAMENTAS LINUX: The 15-Year-Old PNG Library Flaw Still Haunts Linux: How to Fix CVE-2026-25646 Today

libpng12 heap overflow (CVE-2026-25646). Learn how to detect, patch, or block it on major Linux distros. Bash script included. No fluff.

You probably haven’t thought about libpng12 in years. But if you’re running an old app that depends on it—think legacy imaging software, older game servers, or ancient CRM tools—a newly disclosed heap overflow (CVE-2026-25646) can crash your service or, worse, let an attacker execute code via a malicious PNG.

This bug lives in png_set_quantize(). A heap buffer overflow there means one bad image file = memory corruption.

But here’s the evergreen truth: This won’t be the last time libpng12 breaks. The library was deprecated in 2017. Every new CVE in it is a sign you should migrate. Until then, here’s how to survive.

How to check if you are vulnerable

Run these commands. If libpng12 is installed, you’re exposed.

Ubuntu / Debian (including old 18.04, 20.04)

dpkg -l | grep libpng12

If you see ii libpng12-0, vulnerable.

Rocky Linux / AlmaLinux / RHEL 7 - 8

rpm -qa | grep libpng12

SUSE Linux Enterprise / openSUSE Leap 15

zypper search libpng12

Fedora / Mageia (historical)

Mageia 9 users already got libpng12-1.2.59-3.1.mga9. Check:

rpm -q libpng12

Automation script to apply the fix (bash – works on major distros)

Save this as fix-libpng12.sh and run as root.

It detects your distro, updates libpng12, then restarts common services that might use it.

#!/bin/bash
# Evergreen fix for CVE-2026-25646 (libpng12 heap overflow)
set -e

echo "[*] Checking for vulnerable libpng12..."

if command -v apt &> /dev/null; then
    echo "[+] Ubuntu/Debian detected"
    apt update
    apt upgrade -y libpng12-0
elif command -v dnf &> /dev/null; then
    echo "[+] RHEL/Rocky/Fedora detected"
    dnf update -y libpng12
elif command -v zypper &> /dev/null; then
    echo "[+] SUSE detected"
    zypper refresh
    zypper update -y libpng12
else
    echo "[-] Distro not auto-detected. Update libpng12 manually."
    exit 1
fi

echo "[*] Restarting common services that may use libpng12"
systemctl restart apache2 2>/dev/null || systemctl restart httpd 2>/dev/null
systemctl restart nginx 2>/dev/null
systemctl restart gdm 2>/dev/null

echo "[✓] libpng12 updated. Reboot recommended if this is a GUI or imaging server."

Make it executable and run:

chmod +x fix-libpng12.sh
sudo ./fix-libpng12.sh

Alternative mitigation (if you can’t update right now)

You have a . You can’t upgrade it. The distro’s fixed package breaks your app.

Do this instead – at the network or filesystem level.

Option 1: iptables rate-limit (if your app receives PNGs over HTTP)

This won’t stop the overflow, but it will slow down mass exploitation attempts.

iptables -A INPUT -p tcp --dport 80 -m string --string "PNG" --algo bm -m limit --limit 5/minute -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m string --string "PNG" --algo bm -j DROP

Option 2: AppArmor profile to restrict libpng12-using apps

Create /etc/apparmor.d/usr.bin.legacy-app:

/usr/bin/legacy-app {
  /usr/lib/x86_64-linux-gnu/libpng12.so.0 mr,
  deny /tmp/** w,
  deny /home/*/.cache/** w,
}

Then:

apparmor_parser -r /etc/apparmor.d/usr.bin.legacy-app

Caveat: These are . They reduce risk but don’t fix the heap overflow. Only updating libpng12 or recompiling your app with a modern libpng (≥1.6) truly closes the door.

Why this keeps happening (and the one book that will save you)

Libpng12 was last updated in 2015 (version 1.2.59). Distros kept it alive for binary compatibility. Now every CVE in it is a “vulnerability from the grave”.

You need to stop playing whack-a-mole with legacy libraries. The practical skill is + .