CVE-2026-31239 — AWAITING NVD AI Security Vulnerability

CISO Take

The mamba language model framework through version 2.2.6 allows arbitrary code execution when loading any model from HuggingFace Hub, because its from_pretrained() method invokes torch.load() without the weights_only=True safeguard, enabling Python pickle deserialization of attacker-controlled content. The blast radius covers every ML team member or automated pipeline that pulls mamba models from HuggingFace — a routine workflow — and exploitation requires nothing beyond a free HuggingFace account and basic knowledge of the pickle format, placing this firmly in script-kiddie territory. There is no public exploit and this CVE is not in CISA KEV, but the attack surface is identical to supply chain patterns already documented against other HuggingFace-hosted frameworks. Immediately upgrade to a patched mamba release or, as a workaround, enforce an allowlist of internally mirrored and manually reviewed model files; run picklescan against all existing .bin model files before the next load.

Sources: NVD ATLAS GitHub Advisory

Risk Assessment

Risk is HIGH despite the absence of a formal CVSS score. Exploitation requires no privileges beyond a free HuggingFace Hub account and no user interaction beyond the standard ML workflow of calling from_pretrained() — a step that most practitioners perform without security scrutiny. Python pickle payload construction is trivially documented and tooled (pickletools, fickling). The impact is full RCE in the mamba process context, which in training and fine-tuning environments routinely runs with broad filesystem access, GPU infrastructure rights, cloud API credentials, and access to proprietary datasets. The primary at-risk population is ML research teams, data scientists, and automated MLOps pipelines that pull models from HuggingFace on a schedule.

Attack Kill Chain

Account Setup

Adversary creates a free HuggingFace Hub account and crafts a convincing model repository with realistic metadata, model card, and download statistics to appear legitimate.

AML.T0021

Publish Poisoned Model

Adversary uploads a pytorch_model.bin file containing a malicious pickle payload embedded within the PyTorch serialization structure using tools like fickling.

AML.T0058

User Execution

Victim calls MambaLMHeadModel.from_pretrained() with the attacker's repository name as part of a routine model loading workflow, triggering torch.load() without the weights_only=True guard.

AML.T0011.000

Code Execution

Python pickle deserializes the embedded payload, executing arbitrary code in the mamba process context with access to the victim's environment variables, credentials, and connected infrastructure.

AML.T0112.001

Account Setup

Adversary creates a free HuggingFace Hub account and crafts a convincing model repository with realistic metadata, model card, and download statistics to appear legitimate.

AML.T0021

Publish Poisoned Model

Adversary uploads a pytorch_model.bin file containing a malicious pickle payload embedded within the PyTorch serialization structure using tools like fickling.

AML.T0058

User Execution

Victim calls MambaLMHeadModel.from_pretrained() with the attacker's repository name as part of a routine model loading workflow, triggering torch.load() without the weights_only=True guard.

AML.T0011.000

Code Execution

Python pickle deserializes the embedded payload, executing arbitrary code in the mamba process context with access to the victim's environment variables, credentials, and connected infrastructure.

AML.T0112.001

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

5 steps

Patch: Upgrade mamba to a release that passes weights_only=True to torch.load() — confirm the fix is present in the changelog before deploying.
Workaround: Until a patch is confirmed, restrict from_pretrained() calls to internally mirrored model files that have been manually reviewed and hash-verified against a trusted source.
Detection: Run picklescan (pip install picklescan) or fickling against all .bin model files before loading; flag any file containing non-tensor pickle opcodes as malicious.
Policy: Implement an approved-repository allowlist for HuggingFace Hub and enforce it at the network egress or CI/CD pipeline level.
Monitoring: Alert on unexpected child processes, outbound network connections, or filesystem writes spawned from model-loading jobs — these may indicate a triggered pickle payload.

Classification

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0021 - Establish Accounts AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI risk assessment A.8.4 - AI supply chain

NIST AI RMF

GOVERN 1.1 - Policies, processes and procedures for AI risk management MAP 5.2 - AI supply chain and third-party risk

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-31239?

The mamba language model framework through version 2.2.6 allows arbitrary code execution when loading any model from HuggingFace Hub, because its from_pretrained() method invokes torch.load() without the weights_only=True safeguard, enabling Python pickle deserialization of attacker-controlled content. The blast radius covers every ML team member or automated pipeline that pulls mamba models from HuggingFace — a routine workflow — and exploitation requires nothing beyond a free HuggingFace account and basic knowledge of the pickle format, placing this firmly in script-kiddie territory. There is no public exploit and this CVE is not in CISA KEV, but the attack surface is identical to supply chain patterns already documented against other HuggingFace-hosted frameworks. Immediately upgrade to a patched mamba release or, as a workaround, enforce an allowlist of internally mirrored and manually reviewed model files; run picklescan against all existing .bin model files before the next load.

Is CVE-2026-31239 actively exploited?

No confirmed active exploitation of CVE-2026-31239 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-31239?

1. Patch: Upgrade mamba to a release that passes weights_only=True to torch.load() — confirm the fix is present in the changelog before deploying. 2. Workaround: Until a patch is confirmed, restrict from_pretrained() calls to internally mirrored model files that have been manually reviewed and hash-verified against a trusted source. 3. Detection: Run picklescan (pip install picklescan) or fickling against all .bin model files before loading; flag any file containing non-tensor pickle opcodes as malicious. 4. Policy: Implement an approved-repository allowlist for HuggingFace Hub and enforce it at the network egress or CI/CD pipeline level. 5. Monitoring: Alert on unexpected child processes, outbound network connections, or filesystem writes spawned from model-loading jobs — these may indicate a triggered pickle payload.

What systems are affected by CVE-2026-31239?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps pipelines, transfer learning workflows, model serving, model evaluation environments.

What is the CVSS score for CVE-2026-31239?

No CVSS score has been assigned yet.

Technical Details

NVD Description

The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by publishing a malicious model repository on HuggingFace Hub. When a victim loads a model from this repository, arbitrary code is executed on the victim's system in the context of the mamba process.

Exploitation Scenario

An adversary creates a free HuggingFace Hub account and publishes a repository that mimics a legitimate mamba model variant — complete with a plausible README, model card, and metadata referencing a known checkpoint. The pytorch_model.bin file is crafted with a malicious pickle payload embedded within the PyTorch serialization envelope using a tool like fickling. A data scientist or automated MLOps job at the target organization runs MambaLMHeadModel.from_pretrained('attacker/convincing-mamba-variant'), triggering torch.load() on the binary, which deserializes and executes the payload. The payload establishes a reverse shell or exfiltrates environment variables containing cloud API keys, HuggingFace tokens, and database credentials, enabling lateral movement into training infrastructure and proprietary data stores.