AI Threat Alert

CVE-2025-54950: ExecuTorch: OOB read in model loader enables RCE

GHSA-f9hx-c6jf-3qxm CRITICAL PoC AVAILABLE CISA: TRACK*
Published August 8, 2025
CISO Take

ExecuTorch's model parser has an out-of-bounds read during deserialization that can crash the runtime or achieve remote code execution—no authentication or user interaction required (CVSS 9.8). Any mobile, edge, or Android AI deployment loading ExecuTorch models from externally-controlled sources is directly at risk. Upgrade to 0.7.0 immediately and enforce cryptographically verified model provenance before loading.

What is the risk?

CVSS 9.8 (Critical) with network-accessible attack vector, zero privileges required, and zero user interaction makes this a maximum-severity patch target. EPSS of 0.2% suggests no active exploitation observed yet, which likely reflects ExecuTorch's specialized deployment profile rather than low exploitability—the OOB primitive is straightforward once a malicious model file is delivered. Risk is amplified in edge AI and mobile contexts where EDR/NDR coverage is absent and model update cycles are slower than traditional software. Organizations with MLOps pipelines pulling models from external registries or public model hubs face the highest exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ExecuTorch pip < 0.7.0 0.7.0
4.7K 1 dependents Pushed 2d ago 92% patched ~64d to patch Full package profile →
ExecuTorch pip < 0.7.0 0.7.0
4.7K 1 dependents Pushed 2d ago 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android maven < 0.7.0 0.7.0

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to ExecuTorch 0.7.0 (pip: pip install executorch>=0.7.0; Maven: org.pytorch:executorch-android:0.7.0). Apply patch commit fb03b6f85596a8f954d97929075335255b6a58d4 if building from source.

  2. MODEL PROVENANCE

    Load only models signed with a key under your control. Never load model files from user-supplied URLs, third-party repositories, or unverified model hubs. Implement hash verification (SHA-256) for all model artifacts in CI/CD.

  3. ISOLATION

    Sandbox the ExecuTorch runtime process with minimal OS privileges (seccomp, SELinux, or containerization) to contain blast radius of exploitation.

  4. DETECTION

    Monitor inference service processes for abnormal crashes, OOM errors, or unexpected child process spawning. Audit model loading code paths for any dynamic or network-sourced model paths.

  5. MOBILE

    Push an emergency app update for Android apps using the vulnerable Maven artifact; do not rely on user-initiated updates for a CVSS 9.8 RCE.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model Inference AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI System Risk Management
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain, maintain, and improve AI system trustworthiness
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-54950?

ExecuTorch's model parser has an out-of-bounds read during deserialization that can crash the runtime or achieve remote code execution—no authentication or user interaction required (CVSS 9.8). Any mobile, edge, or Android AI deployment loading ExecuTorch models from externally-controlled sources is directly at risk. Upgrade to 0.7.0 immediately and enforce cryptographically verified model provenance before loading.

Is CVE-2025-54950 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54950, increasing the risk of exploitation.

How to fix CVE-2025-54950?

1. PATCH: Upgrade to ExecuTorch 0.7.0 (pip: `pip install executorch>=0.7.0`; Maven: `org.pytorch:executorch-android:0.7.0`). Apply patch commit fb03b6f85596a8f954d97929075335255b6a58d4 if building from source. 2. MODEL PROVENANCE: Load only models signed with a key under your control. Never load model files from user-supplied URLs, third-party repositories, or unverified model hubs. Implement hash verification (SHA-256) for all model artifacts in CI/CD. 3. ISOLATION: Sandbox the ExecuTorch runtime process with minimal OS privileges (seccomp, SELinux, or containerization) to contain blast radius of exploitation. 4. DETECTION: Monitor inference service processes for abnormal crashes, OOM errors, or unexpected child process spawning. Audit model loading code paths for any dynamic or network-sourced model paths. 5. MOBILE: Push an emergency app update for Android apps using the vulnerable Maven artifact; do not rely on user-initiated updates for a CVSS 9.8 RCE.

What systems are affected by CVE-2025-54950?

This vulnerability affects the following AI/ML architecture patterns: edge AI inference, mobile ML deployment, on-device model serving, Android AI applications, MLOps model loading pipelines.

What is the CVSS score for CVE-2025-54950?

CVE-2025-54950 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

edge AI inferencemobile ML deploymenton-device model servingAndroid AI applicationsMLOps model loading pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit fb03b6f85596a8f954d97929075335255b6a58d4.

Exploitation Scenario

An adversary crafts a malicious ExecuTorch model file (.pte) with a manipulated flatbuffer header or tensor metadata structure designed to cause the deserializer to read memory beyond allocated buffer bounds. The attacker distributes this file via a typosquatted model package on PyPI or Maven Central, a compromised internal model registry, or social engineering targeting an MLOps engineer into pulling a 'benchmark model' from an attacker-controlled URL. When the application calls the model loader, the out-of-bounds read is triggered—at minimum crashing the inference service (reliable DoS), and in favorable memory layouts, allowing the adversary to control execution flow and achieve RCE within the application process. On Android, successful exploitation yields code execution at the app's UID, potentially accessing tokens, on-device model weights, and sensitive inference data.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read Primary

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 8, 2025
Last Modified
October 6, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-30404 9.8

ExecuTorch: integer overflow RCE on model load

Same package: executorch
CRITICAL CVE-2025-30405 9.8

ExecuTorch: integer overflow in model load → RCE

Same package: executorch
CRITICAL CVE-2025-54949 9.8

ExecuTorch: heap buffer overflow RCE via model loading

Same package: executorch
CRITICAL CVE-2025-54951 9.8

ExecuTorch: heap buffer overflow RCE in model loading

Same package: executorch
HIGH CVE-2025-30402 8.1

ExecuTorch: heap overflow in method load, RCE risk

Same package: executorch
Back to Threat Feed