News and History of the PNG Development Group from 2026

Herein lie news items and historical stuff primarily of interest to the Portable Network Graphics Development Group itself. Feel free to poke around even if you're not a member, though. Note that some of the links, particularly the older ones, are broken; in some cases this is explained by later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to reorganizations or upgrades; should they ever reappear, the entries below will be updated as needed.

On the other hand, keep in mind that this is history here...updates to older entries are really not a priority these days.

• current - see here

• 12 January 2026 - libpng 1.6.54 is released with fixes for the following security vulnerabilities:
  • CVE-2026-22695 (moderate severity): Heap buffer over-read in the libpng simplified API function png_image_finish_read() when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018 in 1.6.51.
  • CVE-2026-22801 (moderate severity): Integer truncation in the libpng simplified write API functions png_write_image_16bit() and png_write_image_8bit() causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems.
  Again, insofar as these involve libpng's simplified API, no web browsers are, to our knowledge, affected.

Here are some related PNG pages at this site:

• Current News of the PNG Development Group
• Historical PNG news:
  • 2026 · 2025 · 2024 · 2023 · 2022 · 2021 · 2019 · 2018 · 2017 · 2016 · 2015 · 2014 · 2013 · 2012 · 2011 · 2010 · 2009 · 2008 · 2007 · 2006 · 2005 · 2004 · 2003 · 2002 · 2001 · 2000 · 1999 · 1998 · 1997 · 1996 · 1995
• History of PNG
• Current Status of PNG

• PNG Home Page
• Complete PNG Site Map

Copyright © 1995-2026 Greg Roelofs.