CVE-2025-2998: PyTorch memory corruption

Q: Is CVE-2025-2998 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2998, increasing the risk of exploitation.

Q: How to fix CVE-2025-2998?

1. Pin PyTorch to a version prior to 2.6.0 or await an official patch — monitor pytorch/pytorch#149622 for fix status. 2. Restrict local access to training infrastructure; enforce least-privilege on shared ML compute nodes. 3. Isolate training workloads in containers with no shared memory namespaces between users. 4. Audit JupyterHub and Kubeflow deployments for multi-tenant exposure — ensure namespace isolation. 5. Detection: monitor for anomalous memory usage patterns or segfaults in PyTorch worker processes, which may indicate exploitation attempts. 6. If PyTorch 2.6.0 is required, disable use of pad_packed_sequence and replace with equivalent manual padding logic as a temporary workaround.

Q: What systems are affected by CVE-2025-2998?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML compute clusters, model serving (RNN-based), MLOps platforms (Kubeflow, Ray, MLflow), NLP inference pipelines.

Q: What is the CVSS score for CVE-2025-2998?

CVE-2025-2998 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.17%.

CISO Take

A memory corruption bug in PyTorch 2.6.0's pad_packed_sequence function is exploitable by any local user with low privileges — relevant in shared ML compute environments (JupyterHub, Kubeflow, shared training clusters). No patch version is identified yet; restrict local access to ML training infrastructure and monitor for anomalous process behavior on GPU/training nodes. Exploit code is public, raising urgency despite the local-only attack vector.

What is the risk?

CVSS 5.3 (Medium) understates operational risk in AI/ML environments where shared compute is the norm. Multi-tenant training clusters, shared Jupyter environments, and CI/CD ML pipelines routinely grant multiple users local execution access — precisely the attack surface this vulnerability targets. Memory corruption (CWE-119) with low complexity and no user interaction means a privileged insider or compromised ML engineer account can reliably exploit this. The public disclosure of the exploit elevates priority. No CISA KEV listing and no confirmed active exploitation keep this below critical, but shared ML infra teams should treat this as high-priority patching.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →
PyTorch	pip	<= 2.6.0	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

6 steps

Pin PyTorch to a version prior to 2.6.0 or await an official patch — monitor pytorch/pytorch#149622 for fix status.
Restrict local access to training infrastructure; enforce least-privilege on shared ML compute nodes.
Isolate training workloads in containers with no shared memory namespaces between users.
Audit JupyterHub and Kubeflow deployments for multi-tenant exposure — ensure namespace isolation.
Detection: monitor for anomalous memory usage patterns or segfaults in PyTorch worker processes, which may indicate exploitation attempts.
If PyTorch 2.6.0 is required, disable use of pad_packed_sequence and replace with equivalent manual padding logic as a temporary workaround.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain DoS Framework Training Data AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0044 - Full AI Model Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI risk assessment A.8.2 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to inventory AI systems and associated risks MAP 5.1 - Likelihood of vulnerabilities or other risks inherent in the AI system are examined

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-2998?

A memory corruption bug in PyTorch 2.6.0's pad_packed_sequence function is exploitable by any local user with low privileges — relevant in shared ML compute environments (JupyterHub, Kubeflow, shared training clusters). No patch version is identified yet; restrict local access to ML training infrastructure and monitor for anomalous process behavior on GPU/training nodes. Exploit code is public, raising urgency despite the local-only attack vector.

Is CVE-2025-2998 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2998, increasing the risk of exploitation.

How to fix CVE-2025-2998?

1. Pin PyTorch to a version prior to 2.6.0 or await an official patch — monitor pytorch/pytorch#149622 for fix status. 2. Restrict local access to training infrastructure; enforce least-privilege on shared ML compute nodes. 3. Isolate training workloads in containers with no shared memory namespaces between users. 4. Audit JupyterHub and Kubeflow deployments for multi-tenant exposure — ensure namespace isolation. 5. Detection: monitor for anomalous memory usage patterns or segfaults in PyTorch worker processes, which may indicate exploitation attempts. 6. If PyTorch 2.6.0 is required, disable use of pad_packed_sequence and replace with equivalent manual padding logic as a temporary workaround.

What systems are affected by CVE-2025-2998?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML compute clusters, model serving (RNN-based), MLOps platforms (Kubeflow, Ray, MLflow), NLP inference pipelines.

What is the CVSS score for CVE-2025-2998?

CVE-2025-2998 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

training pipelinesshared ML compute clustersmodel serving (RNN-based)MLOps platforms (Kubeflow, Ray, MLflow)NLP inference pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0037 Data from Local System

AML.T0044 Full AI Model Access

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.2, A.8.2

NIST AI RMF: MANAGE 2.2, MAP 5.1

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A vulnerability was found in PyTorch 2.6.0. It has been declared as critical. Affected by this vulnerability is the function torch.nn.utils.rnn.pad_packed_sequence. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An adversary with a low-privilege account on a shared GPU training cluster (common in academic or enterprise ML environments) submits a crafted training job that calls pad_packed_sequence with a malformed packed sequence tensor. The memory corruption primitive allows the adversary to overwrite adjacent memory regions — potentially corrupting another user's model weights mid-training, leaking gradient data from a co-located training process, or achieving code execution in the context of the PyTorch worker. In a Kubeflow or Ray cluster where multiple training jobs share node memory, this could enable cross-tenant data leakage or denial of service against other ML workloads.

Weaknesses (CWE)

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer: The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.