CVE-2025-46152 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

PyTorch versions before 2.7.0 contain a CWE-787 out-of-bounds write in bitwise_right_shift that produces silently incorrect tensor outputs when the shift argument is out-of-bounds — no error is raised, just wrong math. Upgrade to PyTorch 2.7.0 immediately; silent compute errors in numerical pipelines are particularly dangerous in AI/ML workloads where correctness is assumed. Audit any custom code relying on bitwise tensor operations for data preprocessing, quantization, or signal processing.

Risk Assessment

Medium severity (CVSS 5.3) but contextually elevated for AI/ML systems. No authentication required and low attack complexity means any actor who can influence model inputs or pipeline data could trigger the bug. The CVSS scope is limited to availability, but in ML pipelines the real risk is silent data corruption — incorrect bitwise operations during preprocessing or quantization will propagate through the entire model without raising exceptions, producing subtly wrong outputs. Not in CISA KEV and no reported active exploitation, keeping overall risk moderate.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A Low

Recommended Action

5 steps

Patch: Upgrade PyTorch to 2.7.0 or apply the patch from PR #143635. Pin the version in requirements.txt/pyproject.toml and rebuild all Docker images.
Detection: Search codebase for torch.bitwise_right_shift calls — grep across training, preprocessing, and serving code. Pay extra attention to quantization routines and any custom CUDA extensions.
Validation: Add unit tests that assert bitwise_right_shift output against known-correct values for boundary inputs (shift amounts of 0, dtype bit-width, dtype bit-width + 1).
Workaround (if upgrade not immediately feasible): Clamp the 'other' argument to [0, dtype_bitwidth - 1] before calling bitwise_right_shift.
Monitoring: Add assertions or anomaly checks on quantization outputs in inference pipelines to detect unexpected value distributions that could indicate silent corruption.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain DoS Framework Training Data Inference AML.T0010.001 - AI Software AML.T0031 - Erode AI Model Integrity AML.T0043 - Craft Adversarial Data

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.3 - Testing of AI systems A.6.2.3 - AI system development — software dependency management

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk — software supply chain MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-46152?

PyTorch versions before 2.7.0 contain a CWE-787 out-of-bounds write in bitwise_right_shift that produces silently incorrect tensor outputs when the shift argument is out-of-bounds — no error is raised, just wrong math. Upgrade to PyTorch 2.7.0 immediately; silent compute errors in numerical pipelines are particularly dangerous in AI/ML workloads where correctness is assumed. Audit any custom code relying on bitwise tensor operations for data preprocessing, quantization, or signal processing.

Is CVE-2025-46152 actively exploited?

No confirmed active exploitation of CVE-2025-46152 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-46152?

1. Patch: Upgrade PyTorch to 2.7.0 or apply the patch from PR #143635. Pin the version in requirements.txt/pyproject.toml and rebuild all Docker images. 2. Detection: Search codebase for torch.bitwise_right_shift calls — grep across training, preprocessing, and serving code. Pay extra attention to quantization routines and any custom CUDA extensions. 3. Validation: Add unit tests that assert bitwise_right_shift output against known-correct values for boundary inputs (shift amounts of 0, dtype bit-width, dtype bit-width + 1). 4. Workaround (if upgrade not immediately feasible): Clamp the 'other' argument to [0, dtype_bitwidth - 1] before calling bitwise_right_shift. 5. Monitoring: Add assertions or anomaly checks on quantization outputs in inference pipelines to detect unexpected value distributions that could indicate silent corruption.

What systems are affected by CVE-2025-46152?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference pipelines, quantization workflows, data preprocessing pipelines.

What is the CVSS score for CVE-2025-46152?

CVE-2025-46152 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

In PyTorch before 2.7.0, bitwise_right_shift produces incorrect output for certain out-of-bounds values of the "other" argument.

Exploitation Scenario

An adversary with access to the data pipeline — via a poisoned dataset, malicious model input, or compromised preprocessing script — crafts tensor values where the shift operand exceeds the dtype bit width (e.g., shift by 65 on a 64-bit integer tensor). PyTorch silently writes out-of-bounds memory and returns incorrect results. In a quantization-aware training scenario, this corruption propagates through weight updates, producing a subtly degraded model that passes standard accuracy benchmarks but fails on specific inputs — a stealthy integrity attack. In an inference scenario serving an API, crafted inputs could trigger incorrect classification outputs without raising any runtime errors, enabling adversarial manipulation of model predictions without needing adversarial ML expertise.