CVE-2025-2148: PyTorch memory corruption

Q: Is CVE-2025-2148 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2148, increasing the risk of exploitation.

Q: How to fix CVE-2025-2148?

1. Inventory: identify all PyTorch 2.6.0+cu124 deployments (pip show torch | grep Version). 2. Patch: upgrade to a patched PyTorch release once available; monitor pytorch/pytorch#147722 for fix status. 3. Compensating control: disable torch.profiler invocation in production code paths. 4. Network isolation: restrict inbound access to model serving endpoints backed by PyTorch (TorchServe, FastAPI/Triton wrappers). 5. Detection: alert on segfaults or abnormal memory errors in PyTorch processes; crashes in JIT/profiler context are IOCs. 6. Avoid loading untrusted serialized models (.pt/.pth) or executing untrusted PyTorch scripts in any environment using this build.

Q: What systems are affected by CVE-2025-2148?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments.

Q: What is the CVSS score for CVE-2025-2148?

CVE-2025-2148 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.40%.

CISO Take

PyTorch 2.6.0+cu124 contains a memory corruption flaw in its JIT profiler that can be triggered remotely. While high attack complexity and required user interaction reduce immediate exploitation risk, organizations running this exact build in training clusters or GPU-accelerated inference should upgrade and monitor pytorch/pytorch#147722 for a patch. Disable JIT profiling in production as a compensating control until a fix is available.

What is the risk?

High severity with constrained real-world exploitability. CVSS 7.5 reflects full-compromise potential (C:H/I:H/A:H), but AC:H and UI:R requirements significantly limit opportunistic attacks. Primary risk is in organizations running PyTorch 2.6.0+cu124 with any network-accessible surface—common in model serving APIs and distributed training setups. No public PoC or active exploitation observed; not in CISA KEV. Risk escalates if a weaponized PoC is published given PyTorch's ubiquity across the ML ecosystem.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →
PyTorch	pip	<= 2.6.0	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 32% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Advanced

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Inventory: identify all PyTorch 2.6.0+cu124 deployments (pip show torch | grep Version).
Patch: upgrade to a patched PyTorch release once available; monitor pytorch/pytorch#147722 for fix status.
Compensating control: disable torch.profiler invocation in production code paths.
Network isolation: restrict inbound access to model serving endpoints backed by PyTorch (TorchServe, FastAPI/Triton wrappers).
Detection: alert on segfaults or abnormal memory errors in PyTorch processes; crashes in JIT/profiler context are IOCs.
Avoid loading untrusted serialized models (.pt/.pth) or executing untrusted PyTorch scripts in any environment using this build.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

A.10.1 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-2148?

PyTorch 2.6.0+cu124 contains a memory corruption flaw in its JIT profiler that can be triggered remotely. While high attack complexity and required user interaction reduce immediate exploitation risk, organizations running this exact build in training clusters or GPU-accelerated inference should upgrade and monitor pytorch/pytorch#147722 for a patch. Disable JIT profiling in production as a compensating control until a fix is available.

Is CVE-2025-2148 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2148, increasing the risk of exploitation.

How to fix CVE-2025-2148?

1. Inventory: identify all PyTorch 2.6.0+cu124 deployments (pip show torch | grep Version). 2. Patch: upgrade to a patched PyTorch release once available; monitor pytorch/pytorch#147722 for fix status. 3. Compensating control: disable torch.profiler invocation in production code paths. 4. Network isolation: restrict inbound access to model serving endpoints backed by PyTorch (TorchServe, FastAPI/Triton wrappers). 5. Detection: alert on segfaults or abnormal memory errors in PyTorch processes; crashes in JIT/profiler context are IOCs. 6. Avoid loading untrusted serialized models (.pt/.pth) or executing untrusted PyTorch scripts in any environment using this build.

What systems are affected by CVE-2025-2148?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments.

What is the CVSS score for CVE-2025-2148?

CVE-2025-2148 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.40%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingML development environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.10.1

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.

Exploitation Scenario

An adversary targets an organization running a model serving API backed by PyTorch 2.6.0+cu124 with JIT compilation enabled. By crafting a malicious serialized model or adversarial inference request that routes through the profiler's JIT future callback handler with a None tuple argument, the attacker triggers memory corruption. In a realistic scenario—a TorchServe endpoint or Jupyter notebook server reachable over the network—this could escalate to remote code execution on the ML host, compromising training data, model weights, and any cloud credentials stored in the environment. User interaction (e.g., loading the crafted artifact) remains a required step, making phishing or dependency confusion a likely delivery vector.

Weaknesses (CWE)

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer: The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.