CVE-2025-54952 — MEDIUM AI Security Vulnerability

Q: Is CVE-2025-54952 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54952, increasing the risk of exploitation.

Q: How to fix CVE-2025-54952?

1. Patch: upgrade to ExecuTorch commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b or later; await pip release 0.6.1+ or pin to post-fix commit in CI. 2. Model integrity controls: only load models from cryptographically signed, hash-verified sources; enforce model allowlists in production. 3. Runtime isolation: run ExecuTorch model loading in sandboxed processes with restricted syscalls (seccomp/AppArmor on Linux, process sandbox on mobile). 4. Supply chain audit: review any CI/CD pipelines or model update services that auto-pull ExecuTorch models from external registries or marketplaces. 5. Detection: monitor for unexpected segfaults, memory allocation failures, or anomalous crashes in ExecuTorch processes; log model provenance.

Q: What systems are affected by CVE-2025-54952?

This vulnerability affects the following AI/ML architecture patterns: edge inference pipelines, mobile AI deployments, model serving, on-device inference, model conversion pipelines.

Q: What is the CVSS score for CVE-2025-54952?

No CVSS score has been assigned yet.

CISO Take

A crafted ExecuTorch model file can trigger an integer overflow that allocates undersized memory buffers, enabling potential code execution in any application that loads untrusted models. Update ExecuTorch to commit 8f062d3f661e or later immediately — no patched pip release exists yet. If running edge or mobile AI inference pipelines, audit whether models are loaded from externally-supplied or unverified sources.

Risk Assessment

Medium-to-high severity in practice despite pending CVSS. Integer overflow to buffer overflow (CWE-680) is a well-understood class with proven exploitation paths to code execution. Exploitability requires supplying a crafted model file to the victim runtime — realistic in model marketplaces, federated edge deployments, and pipelines that auto-pull models from registries. EPSS of 0.00226 reflects low current active exploitation, but the malicious-model-file-to-RCE pattern is an emerging and increasingly targeted AI supply chain vector.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
executorch	pip	<= 0.6.0	No patch
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →

Do you use executorch? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.4%

chance of exploitation in 30 days

Higher than 58% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

5 steps

Patch: upgrade to ExecuTorch commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b or later; await pip release 0.6.1+ or pin to post-fix commit in CI.
Model integrity controls: only load models from cryptographically signed, hash-verified sources; enforce model allowlists in production.
Runtime isolation: run ExecuTorch model loading in sandboxed processes with restricted syscalls (seccomp/AppArmor on Linux, process sandbox on mobile).
Supply chain audit: review any CI/CD pipelines or model update services that auto-pull ExecuTorch models from external registries or marketplaces.
Detection: monitor for unexpected segfaults, memory allocation failures, or anomalous crashes in ExecuTorch processes; log model provenance.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Risk treatments including vulnerability remediation

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-54952?

A crafted ExecuTorch model file can trigger an integer overflow that allocates undersized memory buffers, enabling potential code execution in any application that loads untrusted models. Update ExecuTorch to commit 8f062d3f661e or later immediately — no patched pip release exists yet. If running edge or mobile AI inference pipelines, audit whether models are loaded from externally-supplied or unverified sources.

Is CVE-2025-54952 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54952, increasing the risk of exploitation.

How to fix CVE-2025-54952?

1. Patch: upgrade to ExecuTorch commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b or later; await pip release 0.6.1+ or pin to post-fix commit in CI. 2. Model integrity controls: only load models from cryptographically signed, hash-verified sources; enforce model allowlists in production. 3. Runtime isolation: run ExecuTorch model loading in sandboxed processes with restricted syscalls (seccomp/AppArmor on Linux, process sandbox on mobile). 4. Supply chain audit: review any CI/CD pipelines or model update services that auto-pull ExecuTorch models from external registries or marketplaces. 5. Detection: monitor for unexpected segfaults, memory allocation failures, or anomalous crashes in ExecuTorch processes; log model provenance.

What systems are affected by CVE-2025-54952?

This vulnerability affects the following AI/ML architecture patterns: edge inference pipelines, mobile AI deployments, model serving, on-device inference, model conversion pipelines.

What is the CVSS score for CVE-2025-54952?

No CVSS score has been assigned yet.

Technical Details

NVD Description

An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b.

Exploitation Scenario

An adversary crafts a malicious .pte (ExecuTorch model) file with a specially constructed header where tensor dimension values produce integer overflow during memory region calculation. When a mobile application or edge device loads this model — via a compromised model update server, a poisoned model registry, or a malicious third-party model distribution channel — the runtime allocates a buffer smaller than actually required by the model data. Adversary-controlled bytes in the model file then overflow into adjacent heap memory, enabling shellcode execution or a return-oriented programming chain within the app process. An attacker who compromises a model distribution CDN or publishes a trojanized model to a public registry could achieve persistent code execution across all devices running the vulnerable ExecuTorch version.