SB2026050705 - SUSE update for libpng12
Published: May 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2017-12652)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in libpng when checking the chuck length against the user limit. A remote attacker can supply a specially crafted PNG image and crash the affected application.
2) Use-after-free (CVE-ID: CVE-2026-33416)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in png_set_tRNS and png_set_PLTE when processing a crafted PNG file and subsequent decoding after png_free_data() or repeated setter calls. A remote attacker can supply a specially crafted PNG file to execute arbitrary code.
User interaction is required to open or process the crafted PNG file, and exploitation affects applications that free PNG data between png_read_info() and png_read_update_info().
3) Use-after-free (CVE-ID: CVE-2026-34757)
The vulnerability allows a remote attacker to disclose heap information and corrupt chunk data.
The vulnerability exists due to use-after-free in png_set_PLTE, png_set_tRNS, and png_set_hIST when passing a pointer returned by the corresponding getter back into the setter on the same png_struct/png_info pair. A remote attacker can pass an aliased pointer to cause the library to read freed memory and copy stale or unrelated heap contents into replacement storage to disclose heap information and corrupt chunk data.
The issue cannot be triggered by a crafted PNG file alone; exploitation requires the application to call the getter and setter in sequence on the same struct pair, and any image containing the relevant chunk is sufficient to set up the internal pointer.
Remediation
Install update from vendor's website.