CVE-2024-31580 — MEDIUM (CVSS 4.0) AI Security Vulnerability

CISO Take

PyTorch versions before 2.2.0 contain a heap buffer overflow in vararg_functions.cpp that can be triggered with crafted inputs to crash the process. The attack vector is local, limiting exposure, but any shared ML training or inference environment where untrusted users can submit inputs is at risk. Upgrade to PyTorch 2.2.0+ as part of your standard patch cycle — no emergency response required unless running shared multi-tenant ML infrastructure.

Risk Assessment

Medium risk with limited exposure. The local attack vector (AV:L) is the primary risk reducer — an attacker needs local access or the ability to supply crafted inputs to a running PyTorch process. No confidentiality or integrity impact; effect is availability-only (process crash). In isolated training environments this is low urgency. Risk elevates in shared GPU clusters, Jupyter hub environments, or ML-as-a-Service platforms where multiple users submit workloads to a shared PyTorch runtime.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

4.0 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR None

UI None

S Unchanged

C None

I None

A Low

Recommended Action

5 steps

Upgrade to PyTorch 2.2.0 or later — patch is available at commit b5c3a17c2c207ebefcb85043f0cf94be9b2fef81.
Audit PyTorch versions across all environments: training clusters, inference servers, CI/CD pipelines, and developer notebooks.
In multi-tenant environments, apply input validation and sandboxing before upgrading to limit blast radius.
Monitor for unexpected PyTorch process crashes or OOM kills as potential indicators of exploitation attempts.
Review container images and ML platform base images for bundled PyTorch versions — many include outdated copies.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system risk management A.6.2.6 - Security of AI system

NIST AI RMF

GOVERN 6.2 - Risk monitoring and reporting MANAGE 2.2 - Mechanisms to sustain oversight of AI systems

Frequently Asked Questions

What is CVE-2024-31580?

PyTorch versions before 2.2.0 contain a heap buffer overflow in vararg_functions.cpp that can be triggered with crafted inputs to crash the process. The attack vector is local, limiting exposure, but any shared ML training or inference environment where untrusted users can submit inputs is at risk. Upgrade to PyTorch 2.2.0+ as part of your standard patch cycle — no emergency response required unless running shared multi-tenant ML infrastructure.

Is CVE-2024-31580 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-31580, increasing the risk of exploitation.

How to fix CVE-2024-31580?

1. Upgrade to PyTorch 2.2.0 or later — patch is available at commit b5c3a17c2c207ebefcb85043f0cf94be9b2fef81. 2. Audit PyTorch versions across all environments: training clusters, inference servers, CI/CD pipelines, and developer notebooks. 3. In multi-tenant environments, apply input validation and sandboxing before upgrading to limit blast radius. 4. Monitor for unexpected PyTorch process crashes or OOM kills as potential indicators of exploitation attempts. 5. Review container images and ML platform base images for bundled PyTorch versions — many include outdated copies.

What systems are affected by CVE-2024-31580?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference pipelines, notebook environments, batch scoring pipelines.

What is the CVSS score for CVE-2024-31580?

CVE-2024-31580 has a CVSS v3.1 base score of 4.0 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

Exploitation Scenario

An attacker with access to a shared ML training cluster (e.g., a research institution's HPC environment or a multi-tenant ML platform) submits a crafted PyTorch script or tensor input that triggers the heap buffer overflow in vararg_functions.cpp. The PyTorch process crashes, killing a co-tenant's long-running training job and destroying unsaved checkpoint data. In a model serving context, an attacker with API access to a PyTorch-backed inference endpoint submits a malformed payload repeatedly, causing crash loops that take the inference endpoint offline — a targeted DoS against a production AI service.