AI Threat Alert

CVE-2025-3136: PyTorch: memory corruption in CUDA caching allocator

LOW PoC AVAILABLE CISA: TRACK*
Published April 3, 2025
CISO Take

CVE-2025-3136 is a low-severity memory corruption bug in PyTorch 2.6.0's CUDA allocator, exploitable only by local authenticated users with no data exposure risk. Impact is limited to availability—crashes or instability in GPU-accelerated workloads. Schedule a routine upgrade to a patched PyTorch release; no emergency response is warranted.

What is the risk?

Low risk overall. The local-only attack vector (AV:L) with low-privilege requirement (PR:L) significantly constrains the attack surface—remote exploitation is not possible. CVSS impact is restricted to availability (C:N/I:N/A:L), meaning no data leakage or integrity compromise. Risk escalates slightly in multi-tenant GPU clusters or shared ML training environments where untrusted users may hold local system access. Public exploit disclosure warrants inclusion in the next scheduled maintenance window, not emergency patching.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
3.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 11% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A Low

What should I do?

5 steps

  1. Upgrade PyTorch beyond 2.6.0 once a patched release is available; monitor GitHub issue #149821 and official PyTorch releases for patch confirmation.

  2. In multi-tenant GPU environments, enforce strict workload isolation—separate Kubernetes namespaces, CUDA MIG partitioning where supported.

  3. Restrict local shell access to GPU training hosts to authorized personnel only; enforce least-privilege policies.

  4. Monitor for anomalous PyTorch process crashes, unexpected GPU OOM errors, or training job failures as potential exploitation indicators.

  5. If immediate upgrade is not feasible, avoid executing untrusted or third-party code on shared GPU training infrastructure.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system security and resilience
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to inventory AI risks

Frequently Asked Questions

What is CVE-2025-3136?

CVE-2025-3136 is a low-severity memory corruption bug in PyTorch 2.6.0's CUDA allocator, exploitable only by local authenticated users with no data exposure risk. Impact is limited to availability—crashes or instability in GPU-accelerated workloads. Schedule a routine upgrade to a patched PyTorch release; no emergency response is warranted.

Is CVE-2025-3136 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3136, increasing the risk of exploitation.

How to fix CVE-2025-3136?

1. Upgrade PyTorch beyond 2.6.0 once a patched release is available; monitor GitHub issue #149821 and official PyTorch releases for patch confirmation. 2. In multi-tenant GPU environments, enforce strict workload isolation—separate Kubernetes namespaces, CUDA MIG partitioning where supported. 3. Restrict local shell access to GPU training hosts to authorized personnel only; enforce least-privilege policies. 4. Monitor for anomalous PyTorch process crashes, unexpected GPU OOM errors, or training job failures as potential exploitation indicators. 5. If immediate upgrade is not feasible, avoid executing untrusted or third-party code on shared GPU training infrastructure.

What systems are affected by CVE-2025-3136?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, GPU inference, multi-tenant ML platforms.

What is the CVSS score for CVE-2025-3136?

CVE-2025-3136 has a CVSS v3.1 base score of 3.3 (LOW). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingGPU inferencemulti-tenant ML platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.3
NIST AI RMF: MANAGE 2.2

What are the technical details?

Original Advisory

A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0. This issue affects the function torch.cuda.memory.caching_allocator_delete of the file c10/cuda/CUDACachingAllocator.cpp. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

A malicious insider or attacker with a compromised developer account on a shared ML training cluster calls torch.cuda.memory.caching_allocator_delete with a crafted invalid or already-freed pointer. The out-of-bounds write in CUDACachingAllocator.cpp corrupts CUDA memory allocator state, crashing the PyTorch process. In a multi-tenant environment, this could be used to repeatedly terminate a co-located training job, disrupt a GPU-based inference endpoint serving production traffic, or force costly GPU memory resets—effectively sabotaging AI workloads without needing elevated privileges.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References

Timeline

Published
April 3, 2025
Last Modified
May 28, 2025
First Seen
April 3, 2025

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed