CVE-2024-31583 — HIGH (CVSS 7.8) AI Security Vulnerability

Q: Is CVE-2024-31583 actively exploited?

No confirmed active exploitation of CVE-2024-31583 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-31583?

1. PATCH: Upgrade PyTorch to v2.2.0 or later (patch commit: 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2). 2. INVENTORY: Identify all environments, containers, and CI/CD jobs running PyTorch < 2.2.0. 3. MODEL PROVENANCE: Enforce signed/verified model artifacts—only load models from trusted, checksummed sources; reject unsigned .pt files in automated pipelines. 4. ISOLATION: Run model loading/inference in sandboxed or containerized environments with minimal host privileges to limit blast radius. 5. DETECTION: Monitor for unexpected process spawning or network activity immediately following model load operations. Alert on loading .pt/.pth files from non-approved external sources.

Q: What systems are affected by CVE-2024-31583?

This vulnerability affects the following AI/ML architecture patterns: mobile and edge inference deployments, model serving infrastructure, training pipelines, MLOps CI/CD pipelines, development and research environments.

Q: What is the CVSS score for CVE-2024-31583?

CVE-2024-31583 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.05%.

CISO Take

A use-after-free in PyTorch's JIT mobile interpreter enables full system compromise (confidentiality, integrity, and availability all High) when a user loads a maliciously crafted model file. If your ML pipelines ingest .pt/.pth models from external sources—model hubs, shared storage, or third-party repositories—the 'user interaction required' barrier is effectively negligible in practice. Upgrade all environments to PyTorch ≥ 2.2.0 immediately and audit model ingestion pipelines for unvalidated external artifacts.

Risk Assessment

High risk for organizations running PyTorch < 2.2.0 that load models from untrusted or unverified sources. Although the local attack vector limits mass opportunistic exploitation, in real ML workflows engineers routinely open .pt/.pth files from model hubs (Hugging Face, internal registries) or shared drives—making the user-interaction requirement trivially satisfied. CVSS 7.8 accurately reflects the full CIA impact if triggered. Absence from CISA KEV does not imply safety; this class of vulnerability (memory corruption in model deserialization/execution) has historically been weaponized in targeted attacks against AI infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade PyTorch to v2.2.0 or later (patch commit: 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2).
INVENTORY

Identify all environments, containers, and CI/CD jobs running PyTorch < 2.2.0.
MODEL PROVENANCE

Enforce signed/verified model artifacts—only load models from trusted, checksummed sources; reject unsigned .pt files in automated pipelines.
ISOLATION

Run model loading/inference in sandboxed or containerized environments with minimal host privileges to limit blast radius.
DETECTION

Monitor for unexpected process spawning or network activity immediately following model load operations. Alert on loading .pt/.pth files from non-approved external sources.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-31583?

A use-after-free in PyTorch's JIT mobile interpreter enables full system compromise (confidentiality, integrity, and availability all High) when a user loads a maliciously crafted model file. If your ML pipelines ingest .pt/.pth models from external sources—model hubs, shared storage, or third-party repositories—the 'user interaction required' barrier is effectively negligible in practice. Upgrade all environments to PyTorch ≥ 2.2.0 immediately and audit model ingestion pipelines for unvalidated external artifacts.

Is CVE-2024-31583 actively exploited?

No confirmed active exploitation of CVE-2024-31583 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-31583?

1. PATCH: Upgrade PyTorch to v2.2.0 or later (patch commit: 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2). 2. INVENTORY: Identify all environments, containers, and CI/CD jobs running PyTorch < 2.2.0. 3. MODEL PROVENANCE: Enforce signed/verified model artifacts—only load models from trusted, checksummed sources; reject unsigned .pt files in automated pipelines. 4. ISOLATION: Run model loading/inference in sandboxed or containerized environments with minimal host privileges to limit blast radius. 5. DETECTION: Monitor for unexpected process spawning or network activity immediately following model load operations. Alert on loading .pt/.pth files from non-approved external sources.

What systems are affected by CVE-2024-31583?

This vulnerability affects the following AI/ML architecture patterns: mobile and edge inference deployments, model serving infrastructure, training pipelines, MLOps CI/CD pipelines, development and research environments.

What is the CVSS score for CVE-2024-31583?

CVE-2024-31583 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.

Exploitation Scenario

An adversary crafts a malicious PyTorch model file (.pt/.pth) that exploits the use-after-free in torch/csrc/jit/mobile/interpreter.cpp by manipulating object lifetimes within JIT bytecode execution. The file is uploaded to a public model hub (e.g., Hugging Face), embedded in a research paper's released artifacts, or delivered via a spearphishing email to a data scientist. The victim downloads and loads the model—a completely routine workflow step—triggering memory corruption that results in arbitrary code execution with the process owner's privileges. On a shared ML training server or GPU cluster, this grants the attacker a foothold to exfiltrate proprietary training data, model weights, API keys in environment variables, or pivot laterally through the ML infrastructure.