AI Threat Alert

CVE-2025-46150: PyTorch: torch.compile silent output inconsistency

MEDIUM
Published September 25, 2025
CISO Take

PyTorch models using FractionalMaxPool2d with torch.compile silently produce different outputs than the same model in eager (development) mode, creating an invisible gap between tested and deployed behavior. This is most dangerous in computer vision-based security controls — content moderation, anomaly detection, visual access control — where production results may diverge from validated test results without any error. Upgrade to PyTorch 2.7.0; if immediate upgrade is not possible, disable torch.compile for models containing FractionalMaxPool2d.

What is the risk?

Medium risk overall, elevated for security-critical ML inference pipelines. The CVSS C:L score reflects potential information inference through inconsistent model outputs. No privileges or user interaction are required, and network exploitability (AV:N) means any model served via API could be targeted. Practical attack surface is limited to organizations running torch.compile-optimized models with FractionalMaxPool2d; however, the silent nature of the discrepancy makes detection difficult without explicit output comparison testing.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 28% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I None
A None

What should I do?

5 steps

  1. Patch: Upgrade to PyTorch 2.7.0 which resolves this issue (PR #144395).

  2. Immediate workaround: remove torch.compile wrappers from models that use FractionalMaxPool2d, or substitute with MaxPool2d/AvgPool2d.

  3. Audit: run grep -r 'FractionalMaxPool2d' across model codebases and training configs.

  4. Validation gate: add a CI/CD step that compares eager vs. compiled model outputs on a held-out validation set before any compiled model ships to production.

  5. Detection: compare inference outputs of currently deployed compiled models against eager-mode equivalents on recent production inputs to quantify existing discrepancy.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Adversarial Examples Supply Chain Framework Inference Model AML.T0001 AML.T0010.001 AML.T0015 AML.T0031

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system for high-risk AI
ISO 42001
A.6.1.4 - AI system verification and validation
NIST AI RMF
MEASURE 2.5 - AI system to be deployed reflects its tested and evaluated performance
OWASP LLM Top 10
LLM09 - Overreliance

Frequently Asked Questions

What is CVE-2025-46150?

PyTorch models using FractionalMaxPool2d with torch.compile silently produce different outputs than the same model in eager (development) mode, creating an invisible gap between tested and deployed behavior. This is most dangerous in computer vision-based security controls — content moderation, anomaly detection, visual access control — where production results may diverge from validated test results without any error. Upgrade to PyTorch 2.7.0; if immediate upgrade is not possible, disable torch.compile for models containing FractionalMaxPool2d.

Is CVE-2025-46150 actively exploited?

No confirmed active exploitation of CVE-2025-46150 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-46150?

1. Patch: Upgrade to PyTorch 2.7.0 which resolves this issue (PR #144395). 2. Immediate workaround: remove torch.compile wrappers from models that use FractionalMaxPool2d, or substitute with MaxPool2d/AvgPool2d. 3. Audit: run grep -r 'FractionalMaxPool2d' across model codebases and training configs. 4. Validation gate: add a CI/CD step that compares eager vs. compiled model outputs on a held-out validation set before any compiled model ships to production. 5. Detection: compare inference outputs of currently deployed compiled models against eager-mode equivalents on recent production inputs to quantify existing discrepancy.

What systems are affected by CVE-2025-46150?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference optimization pipelines, training pipelines.

What is the CVSS score for CVE-2025-46150?

CVE-2025-46150 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.36%.

What is the AI security impact?

Affected AI Architectures

model servinginference optimization pipelinestraining pipelines

MITRE ATLAS Techniques

AML.T0001 Search Open AI Vulnerability Analysis
AML.T0010.001 AI Software
AML.T0015 Evade AI Model
AML.T0031 Erode AI Model Integrity

Compliance Controls Affected

EU AI Act: Art.9
ISO 42001: A.6.1.4
NIST AI RMF: MEASURE 2.5
OWASP LLM Top 10: LLM09

What are the technical details?

Original Advisory

In PyTorch before 2.7.0, when torch.compile is used, FractionalMaxPool2d has inconsistent results.

Exploitation Scenario

An adversary with knowledge of this CVE targets a computer vision API backed by a torch.compile-optimized PyTorch model. During reconnaissance they confirm the service uses PyTorch and identify model architecture indicators suggesting FractionalMaxPool2d usage. They then craft borderline inputs — images near the decision boundary of the classifier — that exploit the eager-vs-compiled output divergence. Inputs that would be correctly flagged as malicious by the tested eager-mode model pass through the compiled production model as benign, effectively bypassing a model-based content or access control without triggering any alerts. The attack requires no authentication and is network-accessible via the public inference API.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
September 25, 2025
Last Modified
October 3, 2025
First Seen
September 25, 2025

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed