Amazon Linux 2023 Security Advisory: ALAS2023-2026-1670
Advisory Released Date: 2026-05-14
Advisory Updated Date: 2026-05-14
Severity:
Medium
Issue Overview:
Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST in libpng before 1.6.57. Passing a pointer returned by the corresponding getter back into the setter causes the setter to read from a stale pointer after freeing the internal buffer, leading to corrupted chunk data and potential heap information disclosure. (CVE-2026-34757)
Affected Packages:
libpng
Issue Correction:
Run dnf update libpng --releasever 2023.11.20260511 or dnf update --advisory ALAS2023-2026-1670 --releasever 2023.11.20260511 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
libpng-tools-debuginfo-1.6.37-10.amzn2023.0.13.aarch64
libpng-debugsource-1.6.37-10.amzn2023.0.13.aarch64
libpng-tools-1.6.37-10.amzn2023.0.13.aarch64
libpng-static-1.6.37-10.amzn2023.0.13.aarch64
libpng-debuginfo-1.6.37-10.amzn2023.0.13.aarch64
libpng-1.6.37-10.amzn2023.0.13.aarch64
libpng-devel-1.6.37-10.amzn2023.0.13.aarch64
libpng-devel-debuginfo-1.6.37-10.amzn2023.0.13.aarch64
src:
libpng-1.6.37-10.amzn2023.0.13.src
x86_64:
libpng-static-1.6.37-10.amzn2023.0.13.x86_64
libpng-debugsource-1.6.37-10.amzn2023.0.13.x86_64
libpng-1.6.37-10.amzn2023.0.13.x86_64
libpng-debuginfo-1.6.37-10.amzn2023.0.13.x86_64
libpng-devel-1.6.37-10.amzn2023.0.13.x86_64
libpng-devel-debuginfo-1.6.37-10.amzn2023.0.13.x86_64
libpng-tools-1.6.37-10.amzn2023.0.13.x86_64
libpng-tools-debuginfo-1.6.37-10.amzn2023.0.13.x86_64