Amazon Linux 2 Security Advisory: ALAS2-2026-3189
Advisory Released Date: 2026-03-06
Advisory Updated Date: 2026-03-06
Severity:
Medium
Issue Overview:
libpng: An out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer.
The images that trigger this vulnerability are valid per the PNG specification. (CVE-2026-25646)
Affected Packages:
libpng
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update libpng or yum update --advisory ALAS2-2026-3189 to update your system.
New Packages:
aarch64:
libpng-1.5.13-8.amzn2.0.7.aarch64
libpng-devel-1.5.13-8.amzn2.0.7.aarch64
libpng-static-1.5.13-8.amzn2.0.7.aarch64
libpng-debuginfo-1.5.13-8.amzn2.0.7.aarch64
i686:
libpng-1.5.13-8.amzn2.0.7.i686
libpng-devel-1.5.13-8.amzn2.0.7.i686
libpng-static-1.5.13-8.amzn2.0.7.i686
libpng-debuginfo-1.5.13-8.amzn2.0.7.i686
src:
libpng-1.5.13-8.amzn2.0.7.src
x86_64:
libpng-1.5.13-8.amzn2.0.7.x86_64
libpng-devel-1.5.13-8.amzn2.0.7.x86_64
libpng-static-1.5.13-8.amzn2.0.7.x86_64
libpng-debuginfo-1.5.13-8.amzn2.0.7.x86_64