AI Threat Alert AI Threat Alert

CVE-2026-24747: pytorch: Code Injection enables RCE

GHSA-63cw-57p8-fm3p HIGH PoC AVAILABLE CISA: ATTEND
Published January 27, 2026
CISO Take

PyTorch's `weights_only=True` was the security community's recommended mitigation against unsafe pickle deserialization—this CVE breaks that safeguard entirely. Any ML team loading external or shared checkpoint files is at direct risk of arbitrary code execution on whatever host runs the load. Immediate action: upgrade to PyTorch 2.10.0, audit all `torch.load()` call sites, and treat model checkpoints from untrusted sources as untrusted binaries.

Risk Assessment

Effective risk is HIGH despite low EPSS (0.00044, no observed exploitation). The CVSS 8.8 reflects real-world severity: attacker needs only to deliver a malicious .pth file and have a user load it, a realistic vector in ML workflows where engineers routinely download community models. The critical multiplier is that this bypasses `weights_only=True`, PyTorch's widely-adopted 'safe loading' API—organizations that followed security guidance believing they were protected are not. Exposure is broad across data science teams, MLOps pipelines, and any service fine-tuning or evaluating externally sourced models.

Affected Systems

Package Ecosystem Vulnerable Range Patched
pytorch pip No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →
pytorch pip < 2.10.0 2.10.0

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 16% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

Recommended Action

7 steps

  1. PATCH

    Upgrade PyTorch to 2.10.0 immediately (pip install --upgrade torch).

  2. AUDIT

    Search codebase for all torch.load() calls regardless of parameters—inventory every checkpoint loading path.

  3. ENFORCE provenance: Only load checkpoints from internal artifact registries with cryptographic signing (e.g., MLflow Model Registry with checksums).

  4. NETWORK CONTROLS

    Block direct download of .pth/.pt files from the internet in ML training environments; route through internal proxy with AV scanning.

  5. DETECT

    Alert on Python processes spawning unexpected child processes or making outbound connections shortly after loading model files.

  6. SHORT-TERM WORKAROUND (if patching is delayed): Sandbox model loading in an isolated subprocess/container with no network access and minimal filesystem permissions.

  7. COMMUNICATE

    Notify ML engineering teams that weights_only=True was NOT safe prior to 2.10.0—retrain the mental model.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model AML.T0002.001 AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0049 AML.T0058

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system lifecycle — data and model provenance A.6.2 - AI System Design — Security A.8.4 - AI System Operation — Monitoring and Measurement
NIST AI RMF
GOVERN 1.7 - Processes and procedures for decommissioning, undeploy, or phase out MANAGE 2.2 - Mechanisms to sustain treatment of identified risks
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-24747?

PyTorch's `weights_only=True` was the security community's recommended mitigation against unsafe pickle deserialization—this CVE breaks that safeguard entirely. Any ML team loading external or shared checkpoint files is at direct risk of arbitrary code execution on whatever host runs the load. Immediate action: upgrade to PyTorch 2.10.0, audit all `torch.load()` call sites, and treat model checkpoints from untrusted sources as untrusted binaries.

Is CVE-2026-24747 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-24747, increasing the risk of exploitation.

How to fix CVE-2026-24747?

1. PATCH: Upgrade PyTorch to 2.10.0 immediately (pip install --upgrade torch). 2. AUDIT: Search codebase for all `torch.load()` calls regardless of parameters—inventory every checkpoint loading path. 3. ENFORCE provenance: Only load checkpoints from internal artifact registries with cryptographic signing (e.g., MLflow Model Registry with checksums). 4. NETWORK CONTROLS: Block direct download of .pth/.pt files from the internet in ML training environments; route through internal proxy with AV scanning. 5. DETECT: Alert on Python processes spawning unexpected child processes or making outbound connections shortly after loading model files. 6. SHORT-TERM WORKAROUND (if patching is delayed): Sandbox model loading in an isolated subprocess/container with no network access and minimal filesystem permissions. 7. COMMUNICATE: Notify ML engineering teams that `weights_only=True` was NOT safe prior to 2.10.0—retrain the mental model.

What systems are affected by CVE-2026-24747?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, fine-tuning workflows, MLOps platforms, model registries, data science workstations.

What is the CVSS score for CVE-2026-24747?

CVE-2026-24747 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.

Exploitation Scenario

Attacker uploads a malicious PyTorch checkpoint to HuggingFace Hub, disguising it as a popular fine-tuned LLM variant (e.g., a Llama or Mistral derivative). The file is crafted to exploit the weights_only unpickler bypass, embedding a reverse shell payload inside the serialized structure. A data scientist discovers it via model search, downloads it, and runs `model = torch.load('model.pth', weights_only=True)` during local evaluation or in a shared GPU cluster job. The malicious payload executes, establishing persistence on the training node, from which the attacker pivots to cloud storage buckets containing training data and proprietary model weights. Alternatively, in a supply chain scenario, the attacker compromises an internal model registry and replaces a trusted checkpoint—every training job and serving deployment that hot-reloads the model is then compromised without any user interaction beyond normal operations.

Weaknesses (CWE)

CWE-502 Primary CWE-502 Deserialization of Untrusted Data Primary CWE-94 Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
January 27, 2026
Last Modified
January 30, 2026
First Seen
January 27, 2026

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed