Amazon Linux 2 : libpng12, --advisory ALAS2-2025-3113 (ALAS-2025-3113)

🗓️ 05 Jan 2026 00:00:00Reported by TenableType

Libpng12 before 1.2.50-10 is vulnerable to heap buffer over-read and out-of-bounds read per ALAS2-2025-3113.

Reporter	Title	Published	Views	Family All 467
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in DataStage on Cloud Pak for Data	25 Feb 202616:28	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Instana Observability has addressed Multiple Vulnerabilities within Instana Agent container image	3 Mar 202613:53	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2026.	27 Mar 202609:11	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities	28 Jan 202615:42	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple secuirty vulnerabilies addressed with IBM Business Automation Workflow (traditional and containers) March 2026	27 Mar 202608:58	–	ibm
IBM Security Bulletins	Security Bulletin:Vulnerabilities in LIBPNG affects IBM Netezza Appliance	15 Apr 202611:16	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in libpng affects IBM Netezza Appliance	22 Apr 202612:14	–	ibm
GithubExploit	Exploit for CVE-2025-64720	25 Nov 202510:19	–	githubexploit
GithubExploit	Exploit for Out-of-bounds Read in Libpng	22 Jan 202611:35	–	githubexploit
GithubExploit	Exploit for Out-of-bounds Read in Libpng	14 Dec 202518:41	–	githubexploit

Source	Link
alas	www.alas.aws.amazon.com//AL2/ALAS2-2025-3113.html
alas	www.alas.aws.amazon.com/faqs.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-64505.html
explore	www.explore.alas.aws.amazon.com/CVE-2025-64720.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2025-3113.
##

include('compat.inc');

if (description)
{
  script_id(281790);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/05");

  script_cve_id("CVE-2025-64505", "CVE-2025-64720");

  script_name(english:"Amazon Linux 2 : libpng12, --advisory ALAS2-2025-3113 (ALAS-2025-3113)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of libpng12 installed on the remote host is prior to 1.2.50-10. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2025-3113 advisory.

    A heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG
    files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not
    validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-
    range palette indices that trigger out-of-bounds memory access. (CVE-2025-64505)

    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable
    Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read
    vulnerability exists in png_image_read_composite when processing palette images with
    PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly
    applies background compositing during premultiplication, violating the invariant component <= alpha x 257
    required by the simplified PNG API. This issue has been patched in version 1.6.51. (CVE-2025-64720)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2025-3113.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-64505.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-64720.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update libpng12' or
  or 'yum update --advisory ALAS2-2025-3113' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-64720");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libpng12");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libpng12-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libpng12-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'libpng12-1.2.50-10.amzn2.0.3', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libpng12-1.2.50-10.amzn2.0.3', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libpng12-1.2.50-10.amzn2.0.3', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libpng12-debuginfo-1.2.50-10.amzn2.0.3', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libpng12-debuginfo-1.2.50-10.amzn2.0.3', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libpng12-debuginfo-1.2.50-10.amzn2.0.3', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libpng12-devel-1.2.50-10.amzn2.0.3', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libpng12-devel-1.2.50-10.amzn2.0.3', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'libpng12-devel-1.2.50-10.amzn2.0.3', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng12 / libpng12-debuginfo / libpng12-devel");
}

05 Jan 2026 00:00Current

6Medium risk

Vulners AI Score6

CVSS 3.17.1

EPSS0.00079

SSVC