Bundled libpng prior to 1.6.54 is vulnerable

[alexaryn]

Versions of libpng up to 1.6.53 likely have the following vulnerabilities:

• CVE-2026-22696
• CVE-2026-22801

When I install torchvision via Poetry, I end up with a file like:

.venv/lib/python3.13/site-packages/torchvision.libs/libpng16.0481ee11.so.16

Given that these CVEs are from 2026 and the most recent release of torchvision (0.24.1) is from November of 2025, I'm pretty sure a new release of torchvision with updated dependencies is warranted. Currently, software installations utilizing torchvision may trigger vulnerability scanners.

[NicolasHug]

Thanks for the headsup @alexaryn .

From a quick read of the descriptions, it looks like the affected functions are png_image_finish_read, png_write_image_16bit and png_write_image_8bit. TorchVision doesn't use those, so things are probably OK. We'll release torchvision 0.25 later this week, which will hopefully come with updated libpng dependencies (if they're available on the builders we use).