CVE-2025-30404: ExecuTorch integer overflow RCE

Q: Is CVE-2025-30404 actively exploited?

No confirmed active exploitation of CVE-2025-30404 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-30404?

1. PATCH: Upgrade executorch (pip), executorch-android (Maven), or any source build to version 0.7.0 or commit d158236b1dc84539c1b16843bc74054c9dcba006 or later. 2. INVENTORY: Identify all services and mobile apps loading ExecuTorch models, especially those accepting models from external or user-controlled sources. 3. RESTRICT: Until patched, enforce strict model provenance — load only cryptographically signed models from internal registries; reject any externally sourced .pte files. 4. DETECT: Monitor for anomalous crashes or segfaults in model-loading components, which may indicate active probing or exploitation attempts. 5. SBOM: If running a mobile AI product, notify downstream users of the affected Android SDK dependency and release an updated build.

Q: What systems are affected by CVE-2025-30404?

This vulnerability affects the following AI/ML architecture patterns: Edge / on-device inference, Mobile AI applications (Android), Model serving pipelines, Model registry / distribution systems, CI/CD model validation pipelines.

Q: What is the CVSS score for CVE-2025-30404?

CVE-2025-30404 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.57%.

CISO Take

Any application loading ExecuTorch models — especially from untrusted or user-supplied sources — is exposed to unauthenticated remote code execution. This is a CVSS 9.8 with no privileges and no user interaction required, making it trivially weaponizable via a crafted model file. Patch to ExecuTorch 0.7.0 immediately and enforce model provenance controls until patched.

What is the risk?

CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) puts this at maximum exploitability on paper. EPSS is currently very low (0.15%), suggesting no active exploitation detected yet, but the attack surface is broad: any mobile, edge, or server-side AI system that loads .pte model files is potentially reachable. The window between disclosure and weaponized PoC for integer overflow vulnerabilities in memory-unsafe contexts is historically short. Risk is HIGH for organizations running ExecuTorch in production, especially if model loading accepts externally-sourced files.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ExecuTorch	pip	< 0.7.0	`0.7.0`
4.7K 1 dependents Pushed 3d ago 92% patched ~64d to patch Full package profile →
ExecuTorch	pip	< 0.7.0	`0.7.0`
4.7K 1 dependents Pushed 3d ago 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android	maven	< 0.7.0	`0.7.0`

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 43% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade executorch (pip), executorch-android (Maven), or any source build to version 0.7.0 or commit d158236b1dc84539c1b16843bc74054c9dcba006 or later.
INVENTORY

Identify all services and mobile apps loading ExecuTorch models, especially those accepting models from external or user-controlled sources.
RESTRICT

Until patched, enforce strict model provenance — load only cryptographically signed models from internal registries; reject any externally sourced .pte files.
DETECT

Monitor for anomalous crashes or segfaults in model-loading components, which may indicate active probing or exploitation attempts.
SBOM

If running a mobile AI product, notify downstream users of the affected Android SDK dependency and release an updated build.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model Inference AML.T0002.001 - Models AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.2 - Suppliers and third-party relationships A.9.3.1 - Security of AI systems

NIST AI RMF

GOVERN 6.1 - Policies for AI risk in the supply chain MANAGE 2.2 - Mechanisms to address identified AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-30404?

Any application loading ExecuTorch models — especially from untrusted or user-supplied sources — is exposed to unauthenticated remote code execution. This is a CVSS 9.8 with no privileges and no user interaction required, making it trivially weaponizable via a crafted model file. Patch to ExecuTorch 0.7.0 immediately and enforce model provenance controls until patched.

Is CVE-2025-30404 actively exploited?

No confirmed active exploitation of CVE-2025-30404 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-30404?

1. PATCH: Upgrade executorch (pip), executorch-android (Maven), or any source build to version 0.7.0 or commit d158236b1dc84539c1b16843bc74054c9dcba006 or later. 2. INVENTORY: Identify all services and mobile apps loading ExecuTorch models, especially those accepting models from external or user-controlled sources. 3. RESTRICT: Until patched, enforce strict model provenance — load only cryptographically signed models from internal registries; reject any externally sourced .pte files. 4. DETECT: Monitor for anomalous crashes or segfaults in model-loading components, which may indicate active probing or exploitation attempts. 5. SBOM: If running a mobile AI product, notify downstream users of the affected Android SDK dependency and release an updated build.

What systems are affected by CVE-2025-30404?

This vulnerability affects the following AI/ML architecture patterns: Edge / on-device inference, Mobile AI applications (Android), Model serving pipelines, Model registry / distribution systems, CI/CD model validation pipelines.

What is the CVSS score for CVE-2025-30404?

CVE-2025-30404 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

Edge / on-device inferenceMobile AI applications (Android)Model serving pipelinesModel registry / distribution systemsCI/CD model validation pipelines

MITRE ATLAS Techniques

AML.T0002.001 Models

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.2, A.9.3.1

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit d158236b1dc84539c1b16843bc74054c9dcba006.

Exploitation Scenario

An adversary crafts a malicious ExecuTorch model file (.pte) with integer values in the model header carefully chosen to trigger an overflow during allocation size calculation. When the target application loads this file — via a compromised model update server, a malicious model uploaded to a shared registry, or a social-engineered file download — the overflow causes two allocations to occupy overlapping memory regions. The adversary controls the content written to the second allocation, overwriting a function pointer or return address in the first. On next invocation of the corrupted structure, attacker-controlled code executes in the context of the mobile app or inference service. No authentication, credentials, or prior access to the target system is required beyond the ability to deliver the malicious model file.

Weaknesses (CWE)

CWE-190 Integer Overflow or Wraparound Primary

CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

[Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.

Source: MITRE CWE corpus.