News and History of the PNG Development Group from 2025

Herein lie news items and historical stuff primarily of interest to the Portable Network Graphics Development Group itself. Feel free to poke around even if you're not a member, though. Note that some of the links, particularly the older ones, are broken; in some cases this is explained by later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to reorganizations or upgrades; should they ever reappear, the entries below will be updated as needed.

On the other hand, keep in mind that this is history here...updates to older entries are really not a priority these days.

• current - see here

• 21 November 2025 - libpng 1.6.51 is released with fixes for several security vulnerabilities:
  • CVE-2025-64505 (moderate severity): Heap buffer overflow in png_do_quantize() via malformed palette index
  • CVE-2025-64506 (moderate severity): Heap buffer over-read in png_write_image_8bit() with 8-bit input and convert_to_8bit enabled
  • CVE-2025-64720 (high severity): Buffer overflow in png_image_read_composite() via incorrect palette premultiplication
  • CVE-2025-65018 (high severity): Heap buffer overflow in png_combine_row() triggered via png_image_finish_read()
  Many thanks to those who reported the issues (GitHub usernames Samsung-PENTEST, weijinjinnihao, yosiimich) and those who helped triage/analyze/fix them (Artiphishell's Fabio Gritti, our own John Bowler, and, of course, libpng maintainer Cosmin Truta himself).

• 3 July 2025 - libpng 1.6.50 is released with additional RISC-V improvements, better cross-platform build support, and a fix for an ancient decoder bug involving the unknown chunk handler API.

• 24 June 2025 - The PNG-3 spec is released with long-awaited new features.

• 13 June 2025 - libpng 1.6.49 is released with a new SIMD-optimized delta-filtering implementation for the RISC-V architecture.

• 1 May 2025 - libpng 1.6.48 is released with a fix for a floating-point bug in the setter of the mDCv chunk. Thanks to Travis CI for five years of free automated verification on various platforms, and to AppVeyor CI for their ongoing verification on Windows.

• 18 February 2025 - libpng 1.6.47 is released with full support for the PNG-3 specification, including new mDCV and cLLI chunks and updated colorspace behavior.

• 10 January 2025 - libpng 1.6.45 is released with support for the new PNG-3 colorspace chunk cICP, courtesy of Lucas Chollet and John Bowler.

Here are some related PNG pages at this site:

• Current News of the PNG Development Group
• Historical PNG news:
  • 2025 · 2024 · 2023 · 2022 · 2021 · 2019 · 2018 · 2017 · 2016 · 2015 · 2014 · 2013 · 2012 · 2011 · 2010 · 2009 · 2008 · 2007 · 2006 · 2005 · 2004 · 2003 · 2002 · 2001 · 2000 · 1999 · 1998 · 1997 · 1996 · 1995
• History of PNG
• Current Status of PNG

• PNG Home Page
• Complete PNG Site Map

Copyright © 1995-2025 Greg Roelofs.