libpng 1.6.51 - November 21, 2025 ================================= This is a public release of libpng, intended for use in production code. Files available for download ---------------------------- Source files with LF line endings (for Unix/Linux): * libpng-1.6.51.tar.xz (LZMA-compressed, recommended) * libpng-1.6.51.tar.gz (deflate-compressed) Source files with CRLF line endings (for Windows): * lpng1651.7z (LZMA-compressed, recommended) * lpng1651.zip (deflate-compressed) Other information: * README.md * LICENSE.md * AUTHORS.md * TRADEMARK.md Changes from version 1.6.50 to version 1.6.51 --------------------------------------------- * Fixed CVE-2025-64505 (moderate severity): Heap buffer overflow in `png_do_quantize` via malformed palette index. (Reported by Samsung; analyzed by Fabio Gritti.) * Fixed CVE-2025-64506 (moderate severity): Heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled. (Reported by Samsung and ; analyzed by Fabio Gritti.) * Fixed CVE-2025-64720 (high severity): Buffer overflow in `png_image_read_composite` via incorrect palette premultiplication. (Reported by Samsung; analyzed by John Bowler.) * Fixed CVE-2025-65018 (high severity): Heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`. (Reported by .) * Fixed a memory leak in `png_set_quantize`. (Reported by Samsung; analyzed by Fabio Gritti.) * Removed the experimental and incomplete ERROR_NUMBERS code. (Contributed by Tobias Stoeckmann.) * Improved the RISC-V vector extension support; required RVV 1.0 or newer. (Contributed by Filip Wasil.) * Added GitHub Actions workflows for automated testing. * Performed various refactorings and cleanups. Send comments/corrections/commendations to png-mng-implement at lists.sf.net. Subscription is required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement to subscribe.