AI Threat Alert

CVE-2026-24747: pytorch: Code Injection enables RCE

GHSA-63cw-57p8-fm3p HIGH PoC AVAILABLE CISA: ATTEND
Published January 27, 2026
CISO Take

PyTorch's `weights_only=True` was the security community's recommended mitigation against unsafe pickle deserialization—this CVE breaks that safeguard entirely. Any ML team loading external or shared checkpoint files is at direct risk of arbitrary code execution on whatever host runs the load. Immediate action: upgrade to PyTorch 2.10.0, audit all `torch.load()` call sites, and treat model checkpoints from untrusted sources as untrusted binaries.

What is the risk?

Effective risk is HIGH despite low EPSS (0.00044, no observed exploitation). The CVSS 8.8 reflects real-world severity: attacker needs only to deliver a malicious .pth file and have a user load it, a realistic vector in ML workflows where engineers routinely download community models. The critical multiplier is that this bypasses `weights_only=True`, PyTorch's widely-adopted 'safe loading' API—organizations that followed security guidance believing they were protected are not. Exposure is broad across data science teams, MLOps pipelines, and any service fine-tuning or evaluating externally sourced models.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →
PyTorch Lightning pip < 2.10.0 2.10.0
31.2K OpenSSF 5.9 1.6K dependents Pushed 13d ago 57% patched ~373d to patch Full package profile →

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 45% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. PATCH

    Upgrade PyTorch to 2.10.0 immediately (pip install --upgrade torch).

  2. AUDIT

    Search codebase for all torch.load() calls regardless of parameters—inventory every checkpoint loading path.

  3. ENFORCE provenance: Only load checkpoints from internal artifact registries with cryptographic signing (e.g., MLflow Model Registry with checksums).

  4. NETWORK CONTROLS

    Block direct download of .pth/.pt files from the internet in ML training environments; route through internal proxy with AV scanning.

  5. DETECT

    Alert on Python processes spawning unexpected child processes or making outbound connections shortly after loading model files.

  6. SHORT-TERM WORKAROUND (if patching is delayed): Sandbox model loading in an isolated subprocess/container with no network access and minimal filesystem permissions.

  7. COMMUNICATE

    Notify ML engineering teams that weights_only=True was NOT safe prior to 2.10.0—retrain the mental model.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0002.001 AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0049 AML.T0058

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system lifecycle — data and model provenance A.6.2 - AI System Design — Security A.8.4 - AI System Operation — Monitoring and Measurement
NIST AI RMF
GOVERN 1.7 - Processes and procedures for decommissioning, undeploy, or phase out MANAGE 2.2 - Mechanisms to sustain treatment of identified risks
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-24747?

PyTorch's `weights_only=True` was the security community's recommended mitigation against unsafe pickle deserialization—this CVE breaks that safeguard entirely. Any ML team loading external or shared checkpoint files is at direct risk of arbitrary code execution on whatever host runs the load. Immediate action: upgrade to PyTorch 2.10.0, audit all `torch.load()` call sites, and treat model checkpoints from untrusted sources as untrusted binaries.

Is CVE-2026-24747 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-24747, increasing the risk of exploitation.

How to fix CVE-2026-24747?

1. PATCH: Upgrade PyTorch to 2.10.0 immediately (pip install --upgrade torch). 2. AUDIT: Search codebase for all `torch.load()` calls regardless of parameters—inventory every checkpoint loading path. 3. ENFORCE provenance: Only load checkpoints from internal artifact registries with cryptographic signing (e.g., MLflow Model Registry with checksums). 4. NETWORK CONTROLS: Block direct download of .pth/.pt files from the internet in ML training environments; route through internal proxy with AV scanning. 5. DETECT: Alert on Python processes spawning unexpected child processes or making outbound connections shortly after loading model files. 6. SHORT-TERM WORKAROUND (if patching is delayed): Sandbox model loading in an isolated subprocess/container with no network access and minimal filesystem permissions. 7. COMMUNICATE: Notify ML engineering teams that `weights_only=True` was NOT safe prior to 2.10.0—retrain the mental model.

What systems are affected by CVE-2026-24747?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, fine-tuning workflows, MLOps platforms, model registries, data science workstations.

What is the CVSS score for CVE-2026-24747?

CVE-2026-24747 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.63%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingfine-tuning workflowsMLOps platformsmodel registriesdata science workstations

MITRE ATLAS Techniques

AML.T0002.001 Models
AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application
AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 6.1.2, 8.4, A.6.2, A.8.4
NIST AI RMF: GOVERN 1.7, MANAGE 2.2
OWASP LLM Top 10: LLM05, LLM05:2025

What are the technical details?

Original Advisory

PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.

Exploitation Scenario

Attacker uploads a malicious PyTorch checkpoint to HuggingFace Hub, disguising it as a popular fine-tuned LLM variant (e.g., a Llama or Mistral derivative). The file is crafted to exploit the weights_only unpickler bypass, embedding a reverse shell payload inside the serialized structure. A data scientist discovers it via model search, downloads it, and runs `model = torch.load('model.pth', weights_only=True)` during local evaluation or in a shared GPU cluster job. The malicious payload executes, establishing persistence on the training node, from which the attacker pivots to cloud storage buckets containing training data and proprietary model weights. Alternatively, in a supply chain scenario, the attacker compromises an internal model registry and replaces a trusted checkpoint—every training job and serving deployment that hot-reloads the model is then compromised without any user interaction beyond normal operations.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
January 27, 2026
Last Modified
January 30, 2026
First Seen
January 27, 2026

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed