CVE-2026-31249: insecure deserialization RCE

CISO Take

CosyVoice's data preprocessing script loads PyTorch model files using torch.load() without the weights_only=True safety flag, meaning any .pt file placed in a processed data directory can execute arbitrary code via Python's pickle module at parse time. While no CVSS score has been assigned and the vulnerability is absent from CISA KEV, the exploit primitive—crafting a malicious pickle payload—is trivially documented and script-kiddie accessible, making this dangerous wherever CosyVoice pipelines ingest externally-sourced or shared .pt files. Organizations using CosyVoice for voice synthesis or TTS pipelines should patch by pinning to a commit after 6e01309e01bc93bbeb83bdd996b1182a81aaf11e and ensuring all torch.load() calls pass weights_only=True; as an interim control, scan all incoming .pt files with picklescan or fickling before processing.

Sources: NVD ATLAS GitHub Advisory

What is the risk?

Risk is moderate-to-high for teams running CosyVoice data preprocessing on untrusted inputs or in multi-tenant and shared environments. Exploitation requires attacker-controlled .pt files to reach the data directory, which is feasible in collaborative AI training environments, shared data lakes, or pipelines consuming external speech datasets from public repositories. The absence of CVSS, KEV status, and public PoC lowers immediate urgency, but insecure pickle deserialization is one of the most well-understood and reliably exploitable vulnerability classes in the ML ecosystem—no specialized ML knowledge is required to build a working exploit.

How does the attack unfold?

Malicious Artifact Creation

Attacker crafts a .pt file containing a malicious pickle payload—such as a reverse shell or credential harvester—disguised as legitimate speaker or utterance embedding data.

AML.T0011.000

Supply Chain Injection

Attacker delivers the malicious .pt file into a data directory the victim will process, via a poisoned public dataset repository, shared data lake, or direct file placement.

AML.T0010.002

Unsafe Deserialization Trigger

Victim runs make_parquet_list.py against the data directory; torch.load() deserializes the malicious .pt file without weights_only=True, triggering pickle code execution mid-pipeline.

AML.T0011.000

Arbitrary Code Execution

Attacker-controlled payload executes with the pipeline process's privileges, enabling lateral movement, exfiltration of model weights and training data, or persistent access to ML infrastructure.

AML.T0018.002

Malicious Artifact Creation

Attacker crafts a .pt file containing a malicious pickle payload—such as a reverse shell or credential harvester—disguised as legitimate speaker or utterance embedding data.

AML.T0011.000

Supply Chain Injection

Attacker delivers the malicious .pt file into a data directory the victim will process, via a poisoned public dataset repository, shared data lake, or direct file placement.

AML.T0010.002

Unsafe Deserialization Trigger

Victim runs make_parquet_list.py against the data directory; torch.load() deserializes the malicious .pt file without weights_only=True, triggering pickle code execution mid-pipeline.

AML.T0011.000

Arbitrary Code Execution

Attacker-controlled payload executes with the pipeline process's privileges, enabling lateral movement, exfiltration of model weights and training data, or persistent access to ML infrastructure.

AML.T0018.002

How severe is it?

CVSS 3.1

N/A

EPSS

0.2%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade CosyVoice to a commit after 6e01309e01bc93bbeb83bdd996b1182a81aaf11e that addresses this issue, or manually patch make_parquet_list.py to replace torch.load(path) with torch.load(path, weights_only=True).
Audit all torch.load() calls across your ML codebase for the same insecure pattern.
Integrate picklescan or fickling into CI/CD pipelines to inspect .pt files before ingestion.
Enforce data provenance controls—only load .pt files from cryptographically verified, trusted sources.
Run preprocessing scripts in isolated containers with minimal privileges and no network egress to limit blast radius if exploited.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Training Data Model AML.T0010.002 - Data AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.6.1.2 - AI supply chain risk management

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI supply chain risk

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-31249?

CosyVoice's data preprocessing script loads PyTorch model files using torch.load() without the weights_only=True safety flag, meaning any .pt file placed in a processed data directory can execute arbitrary code via Python's pickle module at parse time. While no CVSS score has been assigned and the vulnerability is absent from CISA KEV, the exploit primitive—crafting a malicious pickle payload—is trivially documented and script-kiddie accessible, making this dangerous wherever CosyVoice pipelines ingest externally-sourced or shared .pt files. Organizations using CosyVoice for voice synthesis or TTS pipelines should patch by pinning to a commit after 6e01309e01bc93bbeb83bdd996b1182a81aaf11e and ensuring all torch.load() calls pass weights_only=True; as an interim control, scan all incoming .pt files with picklescan or fickling before processing.

Is CVE-2026-31249 actively exploited?

No confirmed active exploitation of CVE-2026-31249 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-31249?

1. Upgrade CosyVoice to a commit after 6e01309e01bc93bbeb83bdd996b1182a81aaf11e that addresses this issue, or manually patch make_parquet_list.py to replace torch.load(path) with torch.load(path, weights_only=True). 2. Audit all torch.load() calls across your ML codebase for the same insecure pattern. 3. Integrate picklescan or fickling into CI/CD pipelines to inspect .pt files before ingestion. 4. Enforce data provenance controls—only load .pt files from cryptographically verified, trusted sources. 5. Run preprocessing scripts in isolated containers with minimal privileges and no network egress to limit blast radius if exploited.

What systems are affected by CVE-2026-31249?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Data preprocessing pipelines, MLOps automation, Voice synthesis and TTS systems.

What is the CVSS score for CVE-2026-31249?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Training pipelinesData preprocessing pipelinesMLOps automationVoice synthesis and TTS systems

MITRE ATLAS Techniques

AML.T0010.002 Data

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

Compliance Controls Affected

ISO 42001: A.6.1.2

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM03, LLM04

What are the technical details?

Original Advisory

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.

Exploitation Scenario

An adversary targeting an organization's voice synthesis pipeline identifies CosyVoice as the preprocessing tool for speaker embeddings. They contribute a poisoned speech dataset to a public repository or shared data lake—or socially engineer a data engineer into pulling it—containing a .pt file with an embedded pickle payload encoding a reverse shell. When the victim's automated data pipeline runs make_parquet_list.py against the directory, torch.load() deserializes the payload without safety checks, executing the attacker's code with pipeline process privileges. From there, the attacker pivots laterally to training infrastructure, exfiltrates proprietary model weights, or plants a persistent backdoor.