CVE-2026-31250: RCE via unsafe torch.load()

CISO Take

CosyVoice's model averaging utility loads PyTorch checkpoint files using torch.load() without the weights_only=True parameter, enabling arbitrary Python code execution via pickle deserialization when processing malicious .pt files. Any ML engineer or automated pipeline running average_model.py against attacker-controlled checkpoints will execute that payload under their own OS credentials — a targeted supply chain attack against fine-tuning and model averaging workflows. While no public exploit or active exploitation is confirmed and the CVE carries no CVSS score yet, crafting malicious pickle payloads is trivial and extensively documented, and ML teams routinely share checkpoint files from community or external sources. Audit all CosyVoice model averaging usage involving externally-sourced checkpoints and apply the fix by pinning past the vulnerable commit or adding weights_only=True to the torch.load() call in average_model.py.

Sources: NVD ATLAS

What is the risk?

MEDIUM. The vulnerability is not remotely exploitable in the traditional sense — it requires an attacker to place malicious .pt checkpoint files in a directory the victim processes with average_model.py. However, the attack is trivially easy to execute once a malicious file is in position, and the ML ecosystem normalizes sharing and reusing checkpoints from Hugging Face, GitHub, and internal repositories without integrity verification. Organizations running automated fine-tuning or model averaging pipelines that pull checkpoints from external or shared sources are at elevated risk.

How does the attack unfold?

Artifact Delivery

Attacker crafts a malicious .pt checkpoint file embedding a pickle payload and places it in a directory accessible to the victim alongside legitimate epoch checkpoints.

AML.T0011.000

Tool Execution

Victim runs CosyVoice's average_model.py against the checkpoint directory, either manually or via an automated MLOps pipeline, triggering the load of all epoch_*.pt files.

AML.T0010.003

Unsafe Deserialization

torch.load() deserializes the malicious checkpoint without restriction, executing the embedded pickle payload as arbitrary Python code on the victim system.

AML.T0018.002

Impact

Attacker achieves code execution under the victim's credentials, enabling lateral movement, credential exfiltration from training infrastructure, or persistent backdoor access to GPU compute environments.

AML.T0112.001

Artifact Delivery

Attacker crafts a malicious .pt checkpoint file embedding a pickle payload and places it in a directory accessible to the victim alongside legitimate epoch checkpoints.

AML.T0011.000

Tool Execution

Victim runs CosyVoice's average_model.py against the checkpoint directory, either manually or via an automated MLOps pipeline, triggering the load of all epoch_*.pt files.

AML.T0010.003

Unsafe Deserialization

torch.load() deserializes the malicious checkpoint without restriction, executing the embedded pickle payload as arbitrary Python code on the victim system.

AML.T0018.002

Impact

Attacker achieves code execution under the victim's credentials, enabling lateral movement, credential exfiltration from training infrastructure, or persistent backdoor access to GPU compute environments.

AML.T0112.001

How severe is it?

CVSS 3.1

N/A

EPSS

0.2%

chance of exploitation in 30 days

Higher than 13% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

4 steps

Patch: Update CosyVoice past commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e, or manually change torch.load(path) to torch.load(path, weights_only=True) in average_model.py.
Source validation: Only process checkpoint files from trusted, internally-controlled sources; reject external .pt files for model averaging without cryptographic verification.
Sandbox: Run model averaging tools in isolated environments (containers or VMs) without access to sensitive credentials or downstream infrastructure.
Detection: Scan .pt/.pth files with fickling (Trail of Bits) or picklescan before loading. Monitor for unexpected process spawns or outbound network connections during torch.load() operations.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Model Training Data AML.T0002.001 - Models AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - AI system supply chain security

NIST AI RMF

GOVERN 6.2 - AI risk in the supply chain

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-31250?

CosyVoice's model averaging utility loads PyTorch checkpoint files using torch.load() without the weights_only=True parameter, enabling arbitrary Python code execution via pickle deserialization when processing malicious .pt files. Any ML engineer or automated pipeline running average_model.py against attacker-controlled checkpoints will execute that payload under their own OS credentials — a targeted supply chain attack against fine-tuning and model averaging workflows. While no public exploit or active exploitation is confirmed and the CVE carries no CVSS score yet, crafting malicious pickle payloads is trivial and extensively documented, and ML teams routinely share checkpoint files from community or external sources. Audit all CosyVoice model averaging usage involving externally-sourced checkpoints and apply the fix by pinning past the vulnerable commit or adding weights_only=True to the torch.load() call in average_model.py.

Is CVE-2026-31250 actively exploited?

No confirmed active exploitation of CVE-2026-31250 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-31250?

1. Patch: Update CosyVoice past commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e, or manually change torch.load(path) to torch.load(path, weights_only=True) in average_model.py. 2. Source validation: Only process checkpoint files from trusted, internally-controlled sources; reject external .pt files for model averaging without cryptographic verification. 3. Sandbox: Run model averaging tools in isolated environments (containers or VMs) without access to sensitive credentials or downstream infrastructure. 4. Detection: Scan .pt/.pth files with fickling (Trail of Bits) or picklescan before loading. Monitor for unexpected process spawns or outbound network connections during torch.load() operations.

What systems are affected by CVE-2026-31250?

This vulnerability affects the following AI/ML architecture patterns: Model training pipelines, Model fine-tuning workflows, MLOps checkpoint management, Speech synthesis infrastructure.

What is the CVSS score for CVE-2026-31250?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Model training pipelinesModel fine-tuning workflowsMLOps checkpoint managementSpeech synthesis infrastructure

MITRE ATLAS Techniques

AML.T0002.001 Models

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.10.1

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.

Exploitation Scenario

An adversary targeting an ML team using CosyVoice uploads a malicious epoch_00.pt checkpoint to a shared model repository, Hugging Face model hub, or internal object storage. A researcher downloads the checkpoint directory and runs average_model.py to create an ensemble. torch.load() deserializes the embedded pickle payload, executing a reverse shell or credential harvester under the researcher's OS account. In automated pipelines that periodically pull and average community checkpoints, this triggers without any direct user interaction, giving the attacker persistent access to training infrastructure.