The libpng16 Use-After-Free Bug: How to Check, Fix, or Block It (Works on Ubuntu, Rocky Linux, SUSE)

 

Use-after-free in libpng16 (CVE-2026-33416) allows remote code execution via malformed PNGs. Learn to check, patch, or block attacks on Ubuntu, Rocky, SUSE. Includes automation script and AppArmor mitigation.

First, a quick historical note: In April 2026, SUSE issued a fix (SUSE-SU-2026:1323-1) for a critical use-after-free vulnerability in libpng16, tracked as CVE-2026-33416. Attackers could trigger this bug by feeding a specially crafted PNG image to any application that uses libpng16 (image viewers, web browsers, scanners, or server-side image processors).

But here’s the truth: this same pattern of bug – a use-after-free in png_set_tRNS and png_set_PLTE via pointer aliasing – has appeared in image libraries before and will appear again. That’s why this guide is built to help you today, next month, or two years from now.

How to check if you are vulnerable (actual commands)

You are vulnerable if you have libpng16 version older than 1.6.34-150000.3.22.1 (the fixed version from April 2026). Run these commands on your system:

Ubuntu / Debian

bash

dpkg -l | grep libpng16
# If you see version like 1.6.37-3ubuntu0.1 or lower, you need to update
# For a detailed check:
apt list --installed 2>/dev/null | grep libpng16

Rocky Linux / AlmaLinux / RHEL

bash

rpm -q libpng16
# Fixed version for RHEL-based is typically >= 1.6.34-7.el9_3
# Compare with: https://access.redhat.com/security/cve/CVE-2026-33416

SUSE Linux Enterprise / openSUSE

bash

zypper info libpng16-16 | grep Version
# Fixed version: 1.6.34-150000.3.22.1 or higher
# Check if you have the patch applied:
zypper patches | grep 1323

Generic (any distro)

bash

ldconfig -p | grep libpng16
# Or find the library file:
find /usr/lib* -name "libpng16.so*" 2>/dev/null

If you see version numbers lower than the fixed ones above, you’re vulnerable.

Automation script to apply the fix (bash compatible with major distros)

Save this as fix-libpng16.sh and run as root.

bash

#!/bin/bash
# libpng16 use-after-free fix script
# Works on: Ubuntu, Debian, Rocky, Alma, RHEL, SUSE, openSUSE

set -e

detect_os() {
    if [ -f /etc/os-release ]; then
        . /etc/os-release
        OS=$ID
        VER=$VERSION_ID
    else
        echo "Cannot detect OS. Exiting."
        exit 1
    fi
}

apply_fix() {
    case $OS in
        ubuntu|debian)
            apt update
            apt install -y libpng16-16
            ;;
        rocky|almalinux|rhel|centos)
            yum update -y libpng16
            ;;
        suse|opensuse-leap|opensuse-tumbleweed)
            zypper refresh
            zypper update -y libpng16-16
            ;;
        *)
            echo "Unsupported OS. Please update libpng16 manually."
            exit 1
            ;;
    esac
}

verify_fix() {
    echo "Verifying update..."
    case $OS in
        ubuntu|debian)
            dpkg -l | grep libpng16
            ;;
        rocky|almalinux|rhel|centos)
            rpm -q libpng16
            ;;
        suse|opensuse-leap|opensuse-tumbleweed)
            zypper info libpng16-16 | grep Version
            ;;
    esac
    echo "Done. If version >= 1.6.34-150000.3.22.1 (or distro equivalent), you are safe."
}

detect_os
echo "Detected OS: $OS"
apply_fix
verify_fix

Alternative mitigation if you can't update now

You cannot always reboot or update production systems immediately. Here are three working mitigations:

1. Block malformed PNGs with iptables (if your app receives PNGs over network)

If you run a web server or API that processes user-uploaded images, drop requests that contain suspicious PNG chunks:

bash

# This blocks POST requests to /upload containing typical exploit patterns
# Adjust --string to match your application's endpoint
iptables -I INPUT -p tcp --dport 443 -m string --string "tRNS" --algo bm -j LOG --log-prefix "BLOCK_PNG_EXPLOIT"
iptables -I INPUT -p tcp --dport 443 -m string --string "tRNS" --algo bm -j DROP

Warning: String matching can be evaded. Use this only as a temporary emergency measure.

2. AppArmor profile to restrict libpng16-using apps

Create /etc/apparmor.d/local/usr.bin.myapp (adjust path to your binary):

text

/usr/bin/my-image-viewer {
  # Deny arbitrary code execution after free
  deny /tmp/** wrix,
  deny /dev/shm/** wrix,
  deny /proc/sys/** rw,
  deny /**/.ssh/** rw,
  
  # Only allow reading of normal image locations
  /path/to/images/ r,
  /path/to/images/** r,
}

Then reload:

bash

apparmor_parser -r /etc/apparmor.d/usr.bin.myapp

3. Run risky image processing in a container with read-only root

bash

docker run --rm --read-only --tmpfs /tmp:rw,noexec,nosuid \
  -v /path/to/uploads:/uploads:ro \
  my-image-converter:legacy

This prevents any write access that the exploit might need for code execution.

What helps you actually solve this problem long-term

You cannot chase every CVE manually. The pros use automated vulnerability management that maps CVEs to running processes.

Suggested reading :

Book: Linux Observability with BPF  - Amazon

Why this helps: BPF allows you to trace free() and malloc() calls in libpng16 in real time – without restarting your app. You can literally see a use-after-free happen before it crashes. This book teaches you how to build your own runtime security tools.

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.)

Call to action

Don’t wait for the next libpng CVE.

Subscribe to the Linux Security Weekly newsletter – one actionable fix every Tuesday, no noise. No spam. Unsubscribe anytime.