AI Threat Alert

CVE-2024-31583: PyTorch: use-after-free in JIT mobile interpreter, RCE

HIGH
Published April 17, 2024
CISO Take

A use-after-free in PyTorch's JIT mobile interpreter enables full system compromise (confidentiality, integrity, and availability all High) when a user loads a maliciously crafted model file. If your ML pipelines ingest .pt/.pth models from external sources—model hubs, shared storage, or third-party repositories—the 'user interaction required' barrier is effectively negligible in practice. Upgrade all environments to PyTorch ≥ 2.2.0 immediately and audit model ingestion pipelines for unvalidated external artifacts.

What is the risk?

High risk for organizations running PyTorch < 2.2.0 that load models from untrusted or unverified sources. Although the local attack vector limits mass opportunistic exploitation, in real ML workflows engineers routinely open .pt/.pth files from model hubs (Hugging Face, internal registries) or shared drives—making the user-interaction requirement trivially satisfied. CVSS 7.8 accurately reflects the full CIA impact if triggered. Absence from CISA KEV does not imply safety; this class of vulnerability (memory corruption in model deserialization/execution) has historically been weaponized in targeted attacks against AI infrastructure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade PyTorch to v2.2.0 or later (patch commit: 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2).

  2. INVENTORY

    Identify all environments, containers, and CI/CD jobs running PyTorch < 2.2.0.

  3. MODEL PROVENANCE

    Enforce signed/verified model artifacts—only load models from trusted, checksummed sources; reject unsigned .pt files in automated pipelines.

  4. ISOLATION

    Run model loading/inference in sandboxed or containerized environments with minimal host privileges to limit blast radius.

  5. DETECTION

    Monitor for unexpected process spawning or network activity immediately following model load operations. Alert on loading .pt/.pth files from non-approved external sources.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Inference AML.T0010.001 AML.T0011.000 AML.T0018.002

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to AI risks
OWASP LLM Top 10
LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-31583?

A use-after-free in PyTorch's JIT mobile interpreter enables full system compromise (confidentiality, integrity, and availability all High) when a user loads a maliciously crafted model file. If your ML pipelines ingest .pt/.pth models from external sources—model hubs, shared storage, or third-party repositories—the 'user interaction required' barrier is effectively negligible in practice. Upgrade all environments to PyTorch ≥ 2.2.0 immediately and audit model ingestion pipelines for unvalidated external artifacts.

Is CVE-2024-31583 actively exploited?

No confirmed active exploitation of CVE-2024-31583 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-31583?

1. PATCH: Upgrade PyTorch to v2.2.0 or later (patch commit: 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2). 2. INVENTORY: Identify all environments, containers, and CI/CD jobs running PyTorch < 2.2.0. 3. MODEL PROVENANCE: Enforce signed/verified model artifacts—only load models from trusted, checksummed sources; reject unsigned .pt files in automated pipelines. 4. ISOLATION: Run model loading/inference in sandboxed or containerized environments with minimal host privileges to limit blast radius. 5. DETECTION: Monitor for unexpected process spawning or network activity immediately following model load operations. Alert on loading .pt/.pth files from non-approved external sources.

What systems are affected by CVE-2024-31583?

This vulnerability affects the following AI/ML architecture patterns: mobile and edge inference deployments, model serving infrastructure, training pipelines, MLOps CI/CD pipelines, development and research environments.

What is the CVSS score for CVE-2024-31583?

CVE-2024-31583 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

mobile and edge inference deploymentsmodel serving infrastructuretraining pipelinesMLOps CI/CD pipelinesdevelopment and research environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.

Exploitation Scenario

An adversary crafts a malicious PyTorch model file (.pt/.pth) that exploits the use-after-free in torch/csrc/jit/mobile/interpreter.cpp by manipulating object lifetimes within JIT bytecode execution. The file is uploaded to a public model hub (e.g., Hugging Face), embedded in a research paper's released artifacts, or delivered via a spearphishing email to a data scientist. The victim downloads and loads the model—a completely routine workflow step—triggering memory corruption that results in arbitrary code execution with the process owner's privileges. On a shared ML training server or GPU cluster, this grants the attacker a foothold to exfiltrate proprietary training data, model weights, API keys in environment variables, or pivot laterally through the ML infrastructure.

Weaknesses (CWE)

CWE-416 Use After Free

CWE-416 — Use After Free: The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

  • [Architecture and Design] Choose a language that provides automatic memory management.
  • [Implementation] When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
April 17, 2024
Last Modified
June 10, 2025
First Seen
April 17, 2024

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed