AI Threat Alert

CVE-2024-31580: PyTorch: heap buffer overflow causes local DoS

MEDIUM PoC AVAILABLE
Published April 17, 2024
CISO Take

PyTorch versions before 2.2.0 contain a heap buffer overflow in vararg_functions.cpp that can be triggered with crafted inputs to crash the process. The attack vector is local, limiting exposure, but any shared ML training or inference environment where untrusted users can submit inputs is at risk. Upgrade to PyTorch 2.2.0+ as part of your standard patch cycle — no emergency response required unless running shared multi-tenant ML infrastructure.

What is the risk?

Medium risk with limited exposure. The local attack vector (AV:L) is the primary risk reducer — an attacker needs local access or the ability to supply crafted inputs to a running PyTorch process. No confidentiality or integrity impact; effect is availability-only (process crash). In isolated training environments this is low urgency. Risk elevates in shared GPU clusters, Jupyter hub environments, or ML-as-a-Service platforms where multiple users submit workloads to a shared PyTorch runtime.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
4.0 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 13% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI None
S Unchanged
C None
I None
A Low

What should I do?

5 steps

  1. Upgrade to PyTorch 2.2.0 or later — patch is available at commit b5c3a17c2c207ebefcb85043f0cf94be9b2fef81.

  2. Audit PyTorch versions across all environments: training clusters, inference servers, CI/CD pipelines, and developer notebooks.

  3. In multi-tenant environments, apply input validation and sandboxing before upgrading to limit blast radius.

  4. Monitor for unexpected PyTorch process crashes or OOM kills as potential indicators of exploitation attempts.

  5. Review container images and ML platform base images for bundled PyTorch versions — many include outdated copies.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system risk management A.6.2.6 - Security of AI system
NIST AI RMF
GOVERN 6.2 - Risk monitoring and reporting MANAGE 2.2 - Mechanisms to sustain oversight of AI systems

Frequently Asked Questions

What is CVE-2024-31580?

PyTorch versions before 2.2.0 contain a heap buffer overflow in vararg_functions.cpp that can be triggered with crafted inputs to crash the process. The attack vector is local, limiting exposure, but any shared ML training or inference environment where untrusted users can submit inputs is at risk. Upgrade to PyTorch 2.2.0+ as part of your standard patch cycle — no emergency response required unless running shared multi-tenant ML infrastructure.

Is CVE-2024-31580 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-31580, increasing the risk of exploitation.

How to fix CVE-2024-31580?

1. Upgrade to PyTorch 2.2.0 or later — patch is available at commit b5c3a17c2c207ebefcb85043f0cf94be9b2fef81. 2. Audit PyTorch versions across all environments: training clusters, inference servers, CI/CD pipelines, and developer notebooks. 3. In multi-tenant environments, apply input validation and sandboxing before upgrading to limit blast radius. 4. Monitor for unexpected PyTorch process crashes or OOM kills as potential indicators of exploitation attempts. 5. Review container images and ML platform base images for bundled PyTorch versions — many include outdated copies.

What systems are affected by CVE-2024-31580?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference pipelines, notebook environments, batch scoring pipelines.

What is the CVSS score for CVE-2024-31580?

CVE-2024-31580 has a CVSS v3.1 base score of 4.0 (MEDIUM). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servinginference pipelinesnotebook environmentsbatch scoring pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.4, A.6.2.6
NIST AI RMF: GOVERN 6.2, MANAGE 2.2

What are the technical details?

Original Advisory

PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

Exploitation Scenario

An attacker with access to a shared ML training cluster (e.g., a research institution's HPC environment or a multi-tenant ML platform) submits a crafted PyTorch script or tensor input that triggers the heap buffer overflow in vararg_functions.cpp. The PyTorch process crashes, killing a co-tenant's long-running training job and destroying unsaved checkpoint data. In a model serving context, an attacker with API access to a PyTorch-backed inference endpoint submits a malformed payload repeatedly, causing crash loops that take the inference endpoint offline — a targeted DoS against a production AI service.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow

CWE-122 — Heap-based Buffer Overflow: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

  • Pre-design: Use a language or compiler that performs automatic bounds checking.
  • [Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Timeline

Published
April 17, 2024
Last Modified
June 10, 2025
First Seen
April 17, 2024

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed