CVE-2025-2149: PyTorch improper init — LOW

CISO Take

This low-severity flaw in PyTorch 2.6.0's quantized Sigmoid module allows a local attacker with limited privileges to corrupt scale/zero_point initialization, silently degrading model prediction integrity. Not actively exploited and requires local access with high complexity — deprioritize patching unless running inference workloads on multi-tenant or shared GPU infrastructure. Monitor for PyTorch patch releases and schedule upgrade in next maintenance window.

What is the risk?

Risk is LOW in isolation. CVSS 2.5 reflects local-only access, high attack complexity, and integrity-only impact. However, in AI/ML pipelines where quantized models are deployed on shared inference servers, an insider or compromised process could exploit this to introduce subtle, hard-to-detect prediction errors. The real risk is not immediate compromise but undetected model integrity erosion — particularly dangerous in safety-critical or compliance-sensitive AI workloads.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →
PyTorch	pip	<= 2.6.0	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1

2.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC High

PR Low

UI None

S Unchanged

C None

I Low

A None

What should I do?

6 steps

Inventory PyTorch versions across inference and training infrastructure — flag any deployment on 2.6.0+cu124.
Avoid using torch.nn.quantized.Sigmoid with unvalidated scale/zero_point arguments until patched.
Validate quantization parameters at model load time: assert scale > 0 and zero_point is within expected integer range.
Monitor GitHub issue #147818 for upstream patch status.
If quantized inference is critical, consider downgrading to PyTorch 2.5.x as a temporary workaround.
For production serving, enforce process isolation on inference workers to limit local privilege escalation paths.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Adversarial Examples Framework Inference Model AML.T0010.001 - AI Software AML.T0018 - Manipulate AI Model AML.T0031 - Erode AI Model Integrity

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system development — Data for AI systems

NIST AI RMF

MEASURE 2.5 - AI system performance and trustworthiness evaluated

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-2149?

This low-severity flaw in PyTorch 2.6.0's quantized Sigmoid module allows a local attacker with limited privileges to corrupt scale/zero_point initialization, silently degrading model prediction integrity. Not actively exploited and requires local access with high complexity — deprioritize patching unless running inference workloads on multi-tenant or shared GPU infrastructure. Monitor for PyTorch patch releases and schedule upgrade in next maintenance window.

Is CVE-2025-2149 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2149, increasing the risk of exploitation.

How to fix CVE-2025-2149?

1. Inventory PyTorch versions across inference and training infrastructure — flag any deployment on 2.6.0+cu124. 2. Avoid using `torch.nn.quantized.Sigmoid` with unvalidated scale/zero_point arguments until patched. 3. Validate quantization parameters at model load time: assert scale > 0 and zero_point is within expected integer range. 4. Monitor GitHub issue #147818 for upstream patch status. 5. If quantized inference is critical, consider downgrading to PyTorch 2.5.x as a temporary workaround. 6. For production serving, enforce process isolation on inference workers to limit local privilege escalation paths.

What systems are affected by CVE-2025-2149?

This vulnerability affects the following AI/ML architecture patterns: quantized inference serving, training pipelines, model serving, edge AI deployments.

What is the CVSS score for CVE-2025-2149?

CVE-2025-2149 has a CVSS v3.1 base score of 2.5 (LOW). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

quantized inference servingtraining pipelinesmodel servingedge AI deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0018 Manipulate AI Model

AML.T0031 Erode AI Model Integrity

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MEASURE 2.5

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

A malicious insider or compromised CI/CD process with user-level access to an inference server constructs a PyTorch model artifact that instantiates `nnq_Sigmoid` with crafted scale=0.001 and zero_point=255. When the model is loaded and executed in production, the quantized activation output maps incorrectly, causing the model to systematically misclassify specific inputs. In a content moderation or fraud detection pipeline, this creates a reliable bypass: attacker-controlled inputs pass through undetected while legitimate traffic may be misflagged. The integrity degradation is subtle and unlikely to trigger standard accuracy-monitoring thresholds unless A/B comparisons against full-precision models are in place.

Weaknesses (CWE)

CWE-665 Improper Initialization Primary CWE-665 Improper Initialization

CWE-665 — Improper Initialization: The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
[Architecture and Design] Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Source: MITRE CWE corpus.