CVE-2025-3001: PyTorch lstm_cell memory corruption,

Q: Is CVE-2025-3001 actively exploited?

No confirmed active exploitation of CVE-2025-3001 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-3001?

1. Pin PyTorch to a patched release as soon as upstream publishes a fix; monitor pytorch/pytorch#149626 for patch status. 2. Interim workaround: restrict torch.lstm_cell usage to vetted, trusted code paths; do not expose LSTM inference endpoints to untrusted input without input validation. 3. In shared environments (Jupyter, Ray, Kubeflow), apply OS-level process isolation (namespaces, seccomp) to limit blast radius. 4. Enable crash monitoring on PyTorch processes — repeated crashes of lstm_cell paths may indicate exploitation attempts. 5. Audit which services in your AI stack use LSTM models and their network/user exposure.

Q: What systems are affected by CVE-2025-3001?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML compute clusters, MLOps pipelines.

Q: What is the CVSS score for CVE-2025-3001?

CVE-2025-3001 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.17%.

CISO Take

PyTorch 2.6.0 has a memory corruption bug in torch.lstm_cell (CWE-119) exploitable by any local user with low privileges. In shared GPU/compute environments — MLOps clusters, Jupyter hubs, model training farms — this is a lateral movement or privilege escalation vector. Audit exposure on multi-tenant AI infrastructure and prioritize patching where PyTorch runs alongside sensitive model weights or training data.

What is the risk?

Rated CVSS 5.3 Medium, but contextual risk is higher in shared AI compute environments. Attack complexity is Low and no user interaction is required — any authenticated user on the box can trigger it. Memory corruption (CWE-119) in a core tensor operation historically enables DoS and potentially arbitrary code execution depending on heap layout. Not in CISA KEV and no confirmed in-the-wild exploitation, but the exploit is public, lowering the bar for abuse significantly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →
PyTorch	pip	< 2.10.0	`2.10.0`
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

5 steps

Pin PyTorch to a patched release as soon as upstream publishes a fix; monitor pytorch/pytorch#149626 for patch status.
Interim workaround: restrict torch.lstm_cell usage to vetted, trusted code paths; do not expose LSTM inference endpoints to untrusted input without input validation.
In shared environments (Jupyter, Ray, Kubeflow), apply OS-level process isolation (namespaces, seccomp) to limit blast radius.
Enable crash monitoring on PyTorch processes — repeated crashes of lstm_cell paths may indicate exploitation attempts.
Audit which services in your AI stack use LSTM models and their network/user exposure.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

8.4 - AI system lifecycle — operation and monitoring

NIST AI RMF

MEASURE 2.6 - Testing, Evaluation, Validation, and Verification (TEVV)

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-3001?

PyTorch 2.6.0 has a memory corruption bug in torch.lstm_cell (CWE-119) exploitable by any local user with low privileges. In shared GPU/compute environments — MLOps clusters, Jupyter hubs, model training farms — this is a lateral movement or privilege escalation vector. Audit exposure on multi-tenant AI infrastructure and prioritize patching where PyTorch runs alongside sensitive model weights or training data.

Is CVE-2025-3001 actively exploited?

No confirmed active exploitation of CVE-2025-3001 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-3001?

1. Pin PyTorch to a patched release as soon as upstream publishes a fix; monitor pytorch/pytorch#149626 for patch status. 2. Interim workaround: restrict torch.lstm_cell usage to vetted, trusted code paths; do not expose LSTM inference endpoints to untrusted input without input validation. 3. In shared environments (Jupyter, Ray, Kubeflow), apply OS-level process isolation (namespaces, seccomp) to limit blast radius. 4. Enable crash monitoring on PyTorch processes — repeated crashes of lstm_cell paths may indicate exploitation attempts. 5. Audit which services in your AI stack use LSTM models and their network/user exposure.

What systems are affected by CVE-2025-3001?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML compute clusters, MLOps pipelines.

What is the CVSS score for CVE-2025-3001?

CVE-2025-3001 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingshared ML compute clustersMLOps pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4

NIST AI RMF: MEASURE 2.6

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A vulnerability classified as critical was found in PyTorch 2.6.0. This vulnerability affects the function torch.lstm_cell. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An adversary with a low-privilege account on a shared ML training cluster crafts a malformed tensor input to torch.lstm_cell with dimensions or strides that violate buffer boundaries. On a vulnerable PyTorch 2.6.0 install, this triggers heap corruption. In a best-case attacker scenario on a training node, this corrupts adjacent heap memory — potentially overwriting model weights in memory, crashing the training process, or with precise heap grooming achieving code execution under the training job's service account, which often has access to cloud storage buckets containing proprietary model artifacts and datasets.

Weaknesses (CWE)

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer: The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.