AI Threat Alert

CVE-2024-31584: PyTorch: OOB read in mobile model loader leaks memory

MEDIUM
Published April 19, 2024
CISO Take

Any pipeline that loads PyTorch Mobile (.ptl) model files from untrusted sources is exposed to memory disclosure via a crafted FlatBuffer payload. Upgrade PyTorch to v2.2.0+; if upgrading is not immediate, restrict model ingestion to signed artifacts from controlled registries. CVSS 5.5 means exploitability is real but requires user-triggered model loading, making supply chain poisoning the primary threat vector.

What is the risk?

Medium risk overall, but elevated in AI/ML contexts where model files routinely originate from public hubs (HuggingFace, PyTorch Hub) or user uploads. The OOB read in flatbuffer_loader.cpp can expose process memory during model deserialization, potentially leaking secrets, weights, or runtime data. Low privileges required and low attack complexity amplify risk for teams with loose model artifact governance. Not in CISA KEV and no known active exploitation, but the attack surface is broad across MLOps pipelines.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Unchanged
C Low
I Low
A Low

What should I do?

5 steps

  1. Patch: Upgrade PyTorch to v2.2.0 or later (commit 7c35874 addresses the OOB condition in flatbuffer_loader.cpp:305).

  2. Artifact governance: Implement cryptographic signing and provenance verification for all model files before loading (e.g., Sigstore/cosign for ML artifacts).

  3. Sandbox model loading: Run deserialization in isolated processes or containers with seccomp profiles to limit blast radius of memory disclosure.

  4. Registry control: Whitelist approved model sources; block unauthenticated pulls from public hubs in production pipelines.

  5. Detection: Monitor for anomalous memory access patterns during model load operations; flag loading of .ptl files from unverified sources in SIEM.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Data Extraction Framework Model AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0025 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.2 - AI system risk assessment A.8.4 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-31584?

Any pipeline that loads PyTorch Mobile (.ptl) model files from untrusted sources is exposed to memory disclosure via a crafted FlatBuffer payload. Upgrade PyTorch to v2.2.0+; if upgrading is not immediate, restrict model ingestion to signed artifacts from controlled registries. CVSS 5.5 means exploitability is real but requires user-triggered model loading, making supply chain poisoning the primary threat vector.

Is CVE-2024-31584 actively exploited?

No confirmed active exploitation of CVE-2024-31584 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-31584?

1. Patch: Upgrade PyTorch to v2.2.0 or later (commit 7c35874 addresses the OOB condition in flatbuffer_loader.cpp:305). 2. Artifact governance: Implement cryptographic signing and provenance verification for all model files before loading (e.g., Sigstore/cosign for ML artifacts). 3. Sandbox model loading: Run deserialization in isolated processes or containers with seccomp profiles to limit blast radius of memory disclosure. 4. Registry control: Whitelist approved model sources; block unauthenticated pulls from public hubs in production pipelines. 5. Detection: Monitor for anomalous memory access patterns during model load operations; flag loading of .ptl files from unverified sources in SIEM.

What systems are affected by CVE-2024-31584?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge AI / mobile inference, training pipelines, MLOps CI/CD pipelines.

What is the CVSS score for CVE-2024-31584?

CVE-2024-31584 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

model servingedge AI / mobile inferencetraining pipelinesMLOps CI/CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.1.2, A.8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.

Exploitation Scenario

An adversary crafts a malicious PyTorch Mobile FlatBuffer model file with an out-of-bounds read condition in the tensor metadata. They publish this model to a public repository (PyTorch Hub fork, HuggingFace model card) or deliver it via spearphishing to an ML engineer. When the victim's pipeline calls torch.jit.load() or the mobile runtime loads the .ptl file, flatbuffer_loader.cpp reads beyond the allocated buffer. The attacker leaks partial process memory that may contain API keys, model weights (IP theft), or inference input data from co-located tenants. In a multi-tenant model serving environment, this becomes a cross-tenant data leak.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

References

Timeline

Published
April 19, 2024
Last Modified
June 3, 2025
First Seen
April 19, 2024

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed