AI Threat Alert
PyTorch's `weights_only=True` was the security community's recommended mitigation against unsafe pickle deserialization—this CVE breaks that safeguard entirely. Any ML team loading external or shared checkpoint files is at direct risk of arbitrary code execution on whatever host runs the load. Immediate action: upgrade to PyTorch 2.10.0, audit all `torch.load()` call sites, and treat model checkpoints from untrusted sources as untrusted binaries.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| pytorch | pip | — | No patch |
| pytorch | pip | < 2.10.0 | 2.10.0 |
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade PyTorch to 2.10.0 immediately (pip install --upgrade torch). 2. AUDIT: Search codebase for all `torch.load()` calls regardless of parameters—inventory every checkpoint loading path. 3. ENFORCE provenance: Only load checkpoints from internal artifact registries with cryptographic signing (e.g., MLflow Model Registry with checksums). 4. NETWORK CONTROLS: Block direct download of .pth/.pt files from the internet in ML training environments; route through internal proxy with AV scanning. 5. DETECT: Alert on Python processes spawning unexpected child processes or making outbound connections shortly after loading model files. 6. SHORT-TERM WORKAROUND (if patching is delayed): Sandbox model loading in an isolated subprocess/container with no network access and minimal filesystem permissions. 7. COMMUNICATE: Notify ML engineering teams that `weights_only=True` was NOT safe prior to 2.10.0—retrain the mental model.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
Exploitation Scenario
Attacker uploads a malicious PyTorch checkpoint to HuggingFace Hub, disguising it as a popular fine-tuned LLM variant (e.g., a Llama or Mistral derivative). The file is crafted to exploit the weights_only unpickler bypass, embedding a reverse shell payload inside the serialized structure. A data scientist discovers it via model search, downloads it, and runs `model = torch.load('model.pth', weights_only=True)` during local evaluation or in a shared GPU cluster job. The malicious payload executes, establishing persistence on the training node, from which the attacker pivots to cloud storage buckets containing training data and proprietary model weights. Alternatively, in a supply chain scenario, the attacker compromises an internal model registry and replaces a trusted checkpoint—every training job and serving deployment that hot-reloads the model is then compromised without any user interaction beyond normal operations.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-63cw-57p8-fm3p
- github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139
- github.com/pytorch/pytorch/issues/163105
- github.com/pytorch/pytorch/releases/tag/v2.10.0
- github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p
- nvd.nist.gov/vuln/detail/CVE-2026-24747
- github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139 Broken Link
- github.com/pytorch/pytorch/issues/163105 Exploit Issue
- github.com/pytorch/pytorch/releases/tag/v2.10.0 Product Release
- github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p Vendor