libpng 1.6.52 (the second-most critical update in decades) released!

[ctruta]

Dear community of PNG and libpng users,

Hot on the heels of 1.6.51, here comes libpng 1.6.52 with one more high-severity fix. This one is... unusual.

CVE-2025-66293 is an out-of-bounds read in png_image_read_composite that can be triggered by completely valid, spec-compliant PNG files. No malicious crafting required. Any palette image with partial transparency (tRNS with alpha values 1–254) and gamma correction (gAMA chunk), when processed through the simplified API requesting output without alpha and no explicit background, will trigger the bug. The root cause is an internal flag synchronization issue between PNG_COMPOSE and PNG_FLAG_OPTIMIZE_ALPHA.

If you use the simplified libpng API (png_image_* functions) to process palette images, you need this update. To the best of my knowledge, web browsers use the low-level API and are not affected.

The gory details are available at:

• GHSA-9mpm-9pxh-mg4f
• https://github.com/pnggroup/libpng/blob/v1.6.52/ANNOUNCE

Many thanks to @flyfish101 for reporting this issue.

On the non-security front: @chLFF fixed the Paeth filter handling in the RISC-V RVV implementation (reported by @filipwasil) and improved its performance; and @catenacyber contributed allocation failure fuzzing to oss-fuzz.

In the good old tradition of file authentication, here are the SHA-2-256 checksums of the published archive files:

---

libpng-1.6.52.tar.gz
86d4a88be1c8bc903674199f1d067a9ac940af4e4399caba0314e7a1bcaa0724

libpng-1.6.52.tar.xz
36bd726228ec93a3b6c22fdb49e94a67b16f2fe9b39b78b7cb65772966661ccc

lpng1652.7z
346b71932d80b99b6751c46b6925c0325f0144ee92b18371300d0e684db942e0

lpng1652.zip
63d8366fe994ab1ca17738e2a565288a336751b84ce2c6326f70057d8c9f2bab

---

Sincerely,
Cosmin