CVE-2025-3001 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

PyTorch 2.6.0 has a memory corruption bug in torch.lstm_cell (CWE-119) exploitable by any local user with low privileges. In shared GPU/compute environments — MLOps clusters, Jupyter hubs, model training farms — this is a lateral movement or privilege escalation vector. Audit exposure on multi-tenant AI infrastructure and prioritize patching where PyTorch runs alongside sensitive model weights or training data.

Risk Assessment

Rated CVSS 5.3 Medium, but contextual risk is higher in shared AI compute environments. Attack complexity is Low and no user interaction is required — any authenticated user on the box can trigger it. Memory corruption (CWE-119) in a core tensor operation historically enables DoS and potentially arbitrary code execution depending on heap layout. Not in CISA KEV and no confirmed in-the-wild exploitation, but the exploit is public, lowering the bar for abuse significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 44% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

Recommended Action

5 steps

Pin PyTorch to a patched release as soon as upstream publishes a fix; monitor pytorch/pytorch#149626 for patch status.
Interim workaround: restrict torch.lstm_cell usage to vetted, trusted code paths; do not expose LSTM inference endpoints to untrusted input without input validation.
In shared environments (Jupyter, Ray, Kubeflow), apply OS-level process isolation (namespaces, seccomp) to limit blast radius.
Enable crash monitoring on PyTorch processes — repeated crashes of lstm_cell paths may indicate exploitation attempts.
Audit which services in your AI stack use LSTM models and their network/user exposure.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

8.4 - AI system lifecycle — operation and monitoring

NIST AI RMF

MEASURE 2.6 - Testing, Evaluation, Validation, and Verification (TEVV)

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-3001?

PyTorch 2.6.0 has a memory corruption bug in torch.lstm_cell (CWE-119) exploitable by any local user with low privileges. In shared GPU/compute environments — MLOps clusters, Jupyter hubs, model training farms — this is a lateral movement or privilege escalation vector. Audit exposure on multi-tenant AI infrastructure and prioritize patching where PyTorch runs alongside sensitive model weights or training data.

Is CVE-2025-3001 actively exploited?

No confirmed active exploitation of CVE-2025-3001 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-3001?

1. Pin PyTorch to a patched release as soon as upstream publishes a fix; monitor pytorch/pytorch#149626 for patch status. 2. Interim workaround: restrict torch.lstm_cell usage to vetted, trusted code paths; do not expose LSTM inference endpoints to untrusted input without input validation. 3. In shared environments (Jupyter, Ray, Kubeflow), apply OS-level process isolation (namespaces, seccomp) to limit blast radius. 4. Enable crash monitoring on PyTorch processes — repeated crashes of lstm_cell paths may indicate exploitation attempts. 5. Audit which services in your AI stack use LSTM models and their network/user exposure.

What systems are affected by CVE-2025-3001?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML compute clusters, MLOps pipelines.

What is the CVSS score for CVE-2025-3001?

CVE-2025-3001 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

A vulnerability classified as critical was found in PyTorch 2.6.0. This vulnerability affects the function torch.lstm_cell. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An adversary with a low-privilege account on a shared ML training cluster crafts a malformed tensor input to torch.lstm_cell with dimensions or strides that violate buffer boundaries. On a vulnerable PyTorch 2.6.0 install, this triggers heap corruption. In a best-case attacker scenario on a training node, this corrupts adjacent heap memory — potentially overwriting model weights in memory, crashing the training process, or with precise heap grooming achieving code execution under the training job's service account, which often has access to cloud storage buckets containing proprietary model artifacts and datasets.