CVE-2025-46152: PyTorch OOB write causes incorrect

CISO Take

PyTorch versions before 2.7.0 contain a CWE-787 out-of-bounds write in bitwise_right_shift that produces silently incorrect tensor outputs when the shift argument is out-of-bounds — no error is raised, just wrong math. Upgrade to PyTorch 2.7.0 immediately; silent compute errors in numerical pipelines are particularly dangerous in AI/ML workloads where correctness is assumed. Audit any custom code relying on bitwise tensor operations for data preprocessing, quantization, or signal processing.

What is the risk?

Medium severity (CVSS 5.3) but contextually elevated for AI/ML systems. No authentication required and low attack complexity means any actor who can influence model inputs or pipeline data could trigger the bug. The CVSS scope is limited to availability, but in ML pipelines the real risk is silent data corruption — incorrect bitwise operations during preprocessing or quantization will propagate through the entire model without raising exceptions, producing subtly wrong outputs. Not in CISA KEV and no reported active exploitation, keeping overall risk moderate.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A Low

What should I do?

5 steps

Patch: Upgrade PyTorch to 2.7.0 or apply the patch from PR #143635. Pin the version in requirements.txt/pyproject.toml and rebuild all Docker images.
Detection: Search codebase for torch.bitwise_right_shift calls — grep across training, preprocessing, and serving code. Pay extra attention to quantization routines and any custom CUDA extensions.
Validation: Add unit tests that assert bitwise_right_shift output against known-correct values for boundary inputs (shift amounts of 0, dtype bit-width, dtype bit-width + 1).
Workaround (if upgrade not immediately feasible): Clamp the 'other' argument to [0, dtype_bitwidth - 1] before calling bitwise_right_shift.
Monitoring: Add assertions or anomaly checks on quantization outputs in inference pipelines to detect unexpected value distributions that could indicate silent corruption.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain DoS Framework Training Data Inference AML.T0010.001 - AI Software AML.T0031 - Erode AI Model Integrity AML.T0043 - Craft Adversarial Data

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.3 - Testing of AI systems A.6.2.3 - AI system development — software dependency management

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk — software supply chain MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-46152?

PyTorch versions before 2.7.0 contain a CWE-787 out-of-bounds write in bitwise_right_shift that produces silently incorrect tensor outputs when the shift argument is out-of-bounds — no error is raised, just wrong math. Upgrade to PyTorch 2.7.0 immediately; silent compute errors in numerical pipelines are particularly dangerous in AI/ML workloads where correctness is assumed. Audit any custom code relying on bitwise tensor operations for data preprocessing, quantization, or signal processing.

Is CVE-2025-46152 actively exploited?

No confirmed active exploitation of CVE-2025-46152 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-46152?

1. Patch: Upgrade PyTorch to 2.7.0 or apply the patch from PR #143635. Pin the version in requirements.txt/pyproject.toml and rebuild all Docker images. 2. Detection: Search codebase for torch.bitwise_right_shift calls — grep across training, preprocessing, and serving code. Pay extra attention to quantization routines and any custom CUDA extensions. 3. Validation: Add unit tests that assert bitwise_right_shift output against known-correct values for boundary inputs (shift amounts of 0, dtype bit-width, dtype bit-width + 1). 4. Workaround (if upgrade not immediately feasible): Clamp the 'other' argument to [0, dtype_bitwidth - 1] before calling bitwise_right_shift. 5. Monitoring: Add assertions or anomaly checks on quantization outputs in inference pipelines to detect unexpected value distributions that could indicate silent corruption.

What systems are affected by CVE-2025-46152?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference pipelines, quantization workflows, data preprocessing pipelines.

What is the CVSS score for CVE-2025-46152?

CVE-2025-46152 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.42%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servinginference pipelinesquantization workflowsdata preprocessing pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0031 Erode AI Model Integrity

AML.T0043 Craft Adversarial Data

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.10.3, A.6.2.3

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

In PyTorch before 2.7.0, bitwise_right_shift produces incorrect output for certain out-of-bounds values of the "other" argument.

Exploitation Scenario

An adversary with access to the data pipeline — via a poisoned dataset, malicious model input, or compromised preprocessing script — crafts tensor values where the shift operand exceeds the dtype bit width (e.g., shift by 65 on a 64-bit integer tensor). PyTorch silently writes out-of-bounds memory and returns incorrect results. In a quantization-aware training scenario, this corruption propagates through weight updates, producing a subtly degraded model that passes standard accuracy benchmarks but fails on specific inputs — a stealthy integrity attack. In an inference scenario serving an API, crafted inputs could trigger incorrect classification outputs without raising any runtime errors, enabling adversarial manipulation of model predictions without needing adversarial ML expertise.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.