CVE-2024-31584 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

Any pipeline that loads PyTorch Mobile (.ptl) model files from untrusted sources is exposed to memory disclosure via a crafted FlatBuffer payload. Upgrade PyTorch to v2.2.0+; if upgrading is not immediate, restrict model ingestion to signed artifacts from controlled registries. CVSS 5.5 means exploitability is real but requires user-triggered model loading, making supply chain poisoning the primary threat vector.

Risk Assessment

Medium risk overall, but elevated in AI/ML contexts where model files routinely originate from public hubs (HuggingFace, PyTorch Hub) or user uploads. The OOB read in flatbuffer_loader.cpp can expose process memory during model deserialization, potentially leaking secrets, weights, or runtime data. Low privileges required and low attack complexity amplify risk for teams with loose model artifact governance. Not in CISA KEV and no known active exploitation, but the attack surface is broad across MLOps pipelines.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Unchanged

C Low

I Low

A Low

Recommended Action

5 steps

Patch: Upgrade PyTorch to v2.2.0 or later (commit 7c35874 addresses the OOB condition in flatbuffer_loader.cpp:305).
Artifact governance: Implement cryptographic signing and provenance verification for all model files before loading (e.g., Sigstore/cosign for ML artifacts).
Sandbox model loading: Run deserialization in isolated processes or containers with seccomp profiles to limit blast radius of memory disclosure.
Registry control: Whitelist approved model sources; block unauthenticated pulls from public hubs in production pipelines.
Detection: Monitor for anomalous memory access patterns during model load operations; flag loading of .ptl files from unverified sources in SIEM.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Data Extraction Framework Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI system risk assessment A.8.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-31584?

Any pipeline that loads PyTorch Mobile (.ptl) model files from untrusted sources is exposed to memory disclosure via a crafted FlatBuffer payload. Upgrade PyTorch to v2.2.0+; if upgrading is not immediate, restrict model ingestion to signed artifacts from controlled registries. CVSS 5.5 means exploitability is real but requires user-triggered model loading, making supply chain poisoning the primary threat vector.

Is CVE-2024-31584 actively exploited?

No confirmed active exploitation of CVE-2024-31584 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-31584?

1. Patch: Upgrade PyTorch to v2.2.0 or later (commit 7c35874 addresses the OOB condition in flatbuffer_loader.cpp:305). 2. Artifact governance: Implement cryptographic signing and provenance verification for all model files before loading (e.g., Sigstore/cosign for ML artifacts). 3. Sandbox model loading: Run deserialization in isolated processes or containers with seccomp profiles to limit blast radius of memory disclosure. 4. Registry control: Whitelist approved model sources; block unauthenticated pulls from public hubs in production pipelines. 5. Detection: Monitor for anomalous memory access patterns during model load operations; flag loading of .ptl files from unverified sources in SIEM.

What systems are affected by CVE-2024-31584?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge AI / mobile inference, training pipelines, MLOps CI/CD pipelines.

What is the CVSS score for CVE-2024-31584?

CVE-2024-31584 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.

Exploitation Scenario

An adversary crafts a malicious PyTorch Mobile FlatBuffer model file with an out-of-bounds read condition in the tensor metadata. They publish this model to a public repository (PyTorch Hub fork, HuggingFace model card) or deliver it via spearphishing to an ML engineer. When the victim's pipeline calls torch.jit.load() or the mobile runtime loads the .ptl file, flatbuffer_loader.cpp reads beyond the allocated buffer. The attacker leaks partial process memory that may contain API keys, model weights (IP theft), or inference input data from co-located tenants. In a multi-tenant model serving environment, this becomes a cross-tenant data leak.