CVE-2025-30402: ExecuTorch heap overflow

Q: Is CVE-2025-30402 actively exploited?

No confirmed active exploitation of CVE-2025-30402 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-30402?

1. Upgrade: pip install executorch>=0.7.0 or update Maven dependency to executorch-android:0.7.0-rc1. 2. Verify commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f is included in your build if using a custom build from source. 3. Restrict model loading to cryptographically signed, internally-verified model files only — reject unsigned or third-party model artifacts. 4. Audit OTA model update pipelines for integrity checks and chain-of-custody validation. 5. For Android deployments, check if the Maven package version is pinned in build.gradle and force update. 6. Detection: monitor for abnormal process crashes in inference workers; heap overflow exploits often leave crash signatures in logcat/syslog before achieving stable execution.

CISO Take

ExecuTorch's on-device inference runtime crashes and may allow code execution when loading maliciously crafted model files. Any mobile or edge AI deployment using ExecuTorch <= 0.6.0 should upgrade to 0.7.0 immediately — this includes Android apps using the Maven package. If models are loaded from external or user-controlled sources, treat this as critical regardless of EPSS score.

What is the risk?

CVSS 8.1 (High) with very low EPSS (0.00096), not in CISA KEV. User interaction is required (UI:R), meaning exploitation likely requires a victim to load a crafted model file. Attack complexity is low and no privileges are needed, making it accessible to motivated attackers. The main risk vector is supply chain: orgs that pull models from public hubs, CDNs, or allow user-supplied model files are materially exposed. Confidentiality and availability both rated High — a successful exploit could crash the runtime or exfiltrate on-device data.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ExecuTorch	pip	<= 0.6.0	`0.7.0-rc1`
4.7K 1 dependents Pushed 2d ago 92% patched ~64d to patch Full package profile →
ExecuTorch	pip	<= 0.6.0	`0.7.0`
4.7K 1 dependents Pushed 2d ago 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android	maven	<= 0.6.0	`0.7.0-rc1`

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 27% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I None

A High

What should I do?

6 steps

Upgrade: pip install executorch>=0.7.0 or update Maven dependency to executorch-android:0.7.0-rc1.
Verify commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f is included in your build if using a custom build from source.
Restrict model loading to cryptographically signed, internally-verified model files only — reject unsigned or third-party model artifacts.
Audit OTA model update pipelines for integrity checks and chain-of-custody validation.
For Android deployments, check if the Maven package version is pinned in build.gradle and force update.
Detection: monitor for abnormal process crashes in inference workers; heap overflow exploits often leave crash signatures in logcat/syslog before achieving stable execution.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 17 - Quality Management System — third-party components Article 9 - Risk Management System

ISO 42001

A.6.1.4 - AI system risk management — third-party and supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to respond to and recover from AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-30402?

ExecuTorch's on-device inference runtime crashes and may allow code execution when loading maliciously crafted model files. Any mobile or edge AI deployment using ExecuTorch <= 0.6.0 should upgrade to 0.7.0 immediately — this includes Android apps using the Maven package. If models are loaded from external or user-controlled sources, treat this as critical regardless of EPSS score.

Is CVE-2025-30402 actively exploited?

No confirmed active exploitation of CVE-2025-30402 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-30402?

1. Upgrade: pip install executorch>=0.7.0 or update Maven dependency to executorch-android:0.7.0-rc1. 2. Verify commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f is included in your build if using a custom build from source. 3. Restrict model loading to cryptographically signed, internally-verified model files only — reject unsigned or third-party model artifacts. 4. Audit OTA model update pipelines for integrity checks and chain-of-custody validation. 5. For Android deployments, check if the Maven package version is pinned in build.gradle and force update. 6. Detection: monitor for abnormal process crashes in inference workers; heap overflow exploits often leave crash signatures in logcat/syslog before achieving stable execution.

What systems are affected by CVE-2025-30402?

This vulnerability affects the following AI/ML architecture patterns: on-device model inference, mobile ML deployment, edge AI / embedded inference, model serving, OTA model update pipelines.

What is the CVSS score for CVE-2025-30402?

CVE-2025-30402 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.35%.

What is the AI security impact?

Affected AI Architectures

on-device model inferencemobile ML deploymentedge AI / embedded inferencemodel servingOTA model update pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 17, Article 9

ISO 42001: A.6.1.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f

Exploitation Scenario

An adversary crafts a malicious ExecuTorch model file (.pte) with a specially constructed method structure designed to trigger a heap buffer overflow during the method-loading phase. The attacker hosts this file on a public model repository (e.g., HuggingFace, a CDN, or a compromised model registry). A mobile app or edge device with an automatic model update feature downloads and loads the malicious file. The overflow corrupts heap memory, potentially overwriting function pointers or return addresses, enabling arbitrary code execution in the context of the inference process — which may have access to local sensor data, credentials stored on device, or serve as a pivot into the broader device OS.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow Primary

CWE-122 — Heap-based Buffer Overflow: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Pre-design: Use a language or compiler that performs automatic bounds checking.
[Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.

Source: MITRE CWE corpus.