AI Threat Alert

CVE-2025-54951: ExecuTorch: heap buffer overflow RCE in model loading

GHSA-xc7w-r669-48pf CRITICAL CISA: TRACK*
Published August 8, 2025
CISO Take

Any application loading ExecuTorch models from untrusted or remote sources is potentially vulnerable to unauthenticated RCE — no user interaction required. Update to ExecuTorch 0.7.0 immediately across pip and Maven dependencies. Prioritize Android deployments using org.pytorch:executorch-android and audit all model delivery pipelines for integrity controls.

What is the risk?

CVSS 9.8 reflects the worst-case vector: network-reachable, zero complexity, no privileges, no interaction. Real-world exploitability hinges on whether the application loads models from attacker-influenced sources — CDNs, model hubs, or OTA update channels. EPSS at 0.17% indicates no confirmed active exploitation, but the attack surface is large given ExecuTorch's adoption across production Android and edge AI deployments. A working exploit requires crafting a malicious model file, placing the bar at moderate sophistication — but once crafted, delivery is trivial through compromised model distribution channels.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ExecuTorch pip < 0.7.0 0.7.0
4.7K 1 dependents Pushed 2d ago 92% patched ~64d to patch Full package profile →
ExecuTorch pip < 0.7.0 0.7.0
4.7K 1 dependents Pushed 2d ago 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android maven < 0.7.0 0.7.0

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: upgrade to ExecuTorch 0.7.0 (pip install executorch>=0.7.0; Maven: org.pytorch:executorch-android:0.7.0).

  2. If immediate patching is blocked, restrict model loading to cryptographically signed artifacts from verified, controlled sources only — reject any unsigned or externally sourced models.

  3. Implement model file integrity verification (SHA-256 + signature check) before loading in all environments.

  4. For Android apps, audit OTA model update mechanisms for tamper resistance.

  5. Monitor for anomalous crashes or memory faults in inference processes as an exploitation indicator.

  6. Review transitive dependencies in ML serving stacks that bundle ExecuTorch.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model Inference AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - AI system security
NIST AI RMF
MANAGE 2.2 - Risk treatments including response plans are maintained
OWASP LLM Top 10
LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2025-54951?

Any application loading ExecuTorch models from untrusted or remote sources is potentially vulnerable to unauthenticated RCE — no user interaction required. Update to ExecuTorch 0.7.0 immediately across pip and Maven dependencies. Prioritize Android deployments using org.pytorch:executorch-android and audit all model delivery pipelines for integrity controls.

Is CVE-2025-54951 actively exploited?

No confirmed active exploitation of CVE-2025-54951 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-54951?

1. Patch: upgrade to ExecuTorch 0.7.0 (`pip install executorch>=0.7.0`; Maven: org.pytorch:executorch-android:0.7.0). 2. If immediate patching is blocked, restrict model loading to cryptographically signed artifacts from verified, controlled sources only — reject any unsigned or externally sourced models. 3. Implement model file integrity verification (SHA-256 + signature check) before loading in all environments. 4. For Android apps, audit OTA model update mechanisms for tamper resistance. 5. Monitor for anomalous crashes or memory faults in inference processes as an exploitation indicator. 6. Review transitive dependencies in ML serving stacks that bundle ExecuTorch.

What systems are affected by CVE-2025-54951?

This vulnerability affects the following AI/ML architecture patterns: mobile edge inference, on-device model serving, model delivery and OTA update pipelines, Android ML applications, edge AI deployment pipelines.

What is the CVSS score for CVE-2025-54951?

CVE-2025-54951 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.64%.

What is the AI security impact?

Affected AI Architectures

mobile edge inferenceon-device model servingmodel delivery and OTA update pipelinesAndroid ML applicationsedge AI deployment pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.10.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit cea9b23aa8ff78aff92829a466da97461cc7930c.

Exploitation Scenario

An adversary targets an Android application that fetches ExecuTorch models from a third-party CDN or public model hub. They publish a trojanized .pte model file crafted to trigger a heap overflow in ExecuTorch's model loader. The application, running ExecuTorch < 0.7.0, pulls the malicious model during its routine update cycle and loads it. During deserialization, the overflow corrupts adjacent heap memory, hijacking execution flow within the app process. On Android, this yields code execution in the app's sandbox — enabling exfiltration of user data, credentials stored in the app, or further exploitation of device APIs. No user interaction is required beyond the app performing its normal model refresh.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow Primary

CWE-122 — Heap-based Buffer Overflow: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

  • Pre-design: Use a language or compiler that performs automatic bounds checking.
  • [Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 8, 2025
Last Modified
October 6, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-30404 9.8

ExecuTorch: integer overflow RCE on model load

Same package: executorch
CRITICAL CVE-2025-30405 9.8

ExecuTorch: integer overflow in model load → RCE

Same package: executorch
CRITICAL CVE-2025-54949 9.8

ExecuTorch: heap buffer overflow RCE via model loading

Same package: executorch
CRITICAL CVE-2025-54950 9.8

ExecuTorch: OOB read in model loader enables RCE

Same package: executorch
HIGH CVE-2025-30402 8.1

ExecuTorch: heap overflow in method load, RCE risk

Same package: executorch
Back to Threat Feed