CVE-2025-46150 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

PyTorch models using FractionalMaxPool2d with torch.compile silently produce different outputs than the same model in eager (development) mode, creating an invisible gap between tested and deployed behavior. This is most dangerous in computer vision-based security controls — content moderation, anomaly detection, visual access control — where production results may diverge from validated test results without any error. Upgrade to PyTorch 2.7.0; if immediate upgrade is not possible, disable torch.compile for models containing FractionalMaxPool2d.

Risk Assessment

Medium risk overall, elevated for security-critical ML inference pipelines. The CVSS C:L score reflects potential information inference through inconsistent model outputs. No privileges or user interaction are required, and network exploitability (AV:N) means any model served via API could be targeted. Practical attack surface is limited to organizations running torch.compile-optimized models with FractionalMaxPool2d; however, the silent nature of the discrepancy makes detection difficult without explicit output comparison testing.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

Recommended Action

5 steps

Patch: Upgrade to PyTorch 2.7.0 which resolves this issue (PR #144395).
Immediate workaround: remove torch.compile wrappers from models that use FractionalMaxPool2d, or substitute with MaxPool2d/AvgPool2d.
Audit: run grep -r 'FractionalMaxPool2d' across model codebases and training configs.
Validation gate: add a CI/CD step that compares eager vs. compiled model outputs on a held-out validation set before any compiled model ships to production.
Detection: compare inference outputs of currently deployed compiled models against eager-mode equivalents on recent production inputs to quantify existing discrepancy.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Adversarial Examples Supply Chain Framework Inference Model AML.T0001 - Search Open AI Vulnerability Analysis AML.T0010.001 - AI Software AML.T0015 - Evade AI Model AML.T0031 - Erode AI Model Integrity

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system for high-risk AI

ISO 42001

A.6.1.4 - AI system verification and validation

NIST AI RMF

MEASURE 2.5 - AI system to be deployed reflects its tested and evaluated performance

OWASP LLM Top 10

LLM09 - Overreliance

Frequently Asked Questions

What is CVE-2025-46150?

PyTorch models using FractionalMaxPool2d with torch.compile silently produce different outputs than the same model in eager (development) mode, creating an invisible gap between tested and deployed behavior. This is most dangerous in computer vision-based security controls — content moderation, anomaly detection, visual access control — where production results may diverge from validated test results without any error. Upgrade to PyTorch 2.7.0; if immediate upgrade is not possible, disable torch.compile for models containing FractionalMaxPool2d.

Is CVE-2025-46150 actively exploited?

No confirmed active exploitation of CVE-2025-46150 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-46150?

1. Patch: Upgrade to PyTorch 2.7.0 which resolves this issue (PR #144395). 2. Immediate workaround: remove torch.compile wrappers from models that use FractionalMaxPool2d, or substitute with MaxPool2d/AvgPool2d. 3. Audit: run grep -r 'FractionalMaxPool2d' across model codebases and training configs. 4. Validation gate: add a CI/CD step that compares eager vs. compiled model outputs on a held-out validation set before any compiled model ships to production. 5. Detection: compare inference outputs of currently deployed compiled models against eager-mode equivalents on recent production inputs to quantify existing discrepancy.

What systems are affected by CVE-2025-46150?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference optimization pipelines, training pipelines.

What is the CVSS score for CVE-2025-46150?

CVE-2025-46150 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

In PyTorch before 2.7.0, when torch.compile is used, FractionalMaxPool2d has inconsistent results.

Exploitation Scenario

An adversary with knowledge of this CVE targets a computer vision API backed by a torch.compile-optimized PyTorch model. During reconnaissance they confirm the service uses PyTorch and identify model architecture indicators suggesting FractionalMaxPool2d usage. They then craft borderline inputs — images near the decision boundary of the classifier — that exploit the eager-vs-compiled output divergence. Inputs that would be correctly flagged as malicious by the tested eager-mode model pass through the compiled production model as benign, effectively bypassing a model-based content or access control without triggering any alerts. The attack requires no authentication and is network-accessible via the public inference API.