CVE-2026-31252: RCE — UNKNOWN

CISO Take

CosyVoice, an open-source text-to-speech framework by Alibaba's FunAudioLLM, loads PyTorch model weight files using torch.load() without the weights_only=True parameter, allowing any Python object to be deserialized from a malicious .pt file — resulting in arbitrary code execution on the victim's host. The realistic attack path involves an adversary distributing a weaponized model directory through a public model hub, shared link, or compromised internal repository, then relying on a developer or researcher to point the CosyVoice Web UI at it — a social engineering vector that is low-friction in AI/ML teams where sharing pre-trained models is routine. No CVSS score or active exploitation is confirmed, and there is no KEV entry or public exploit, but the insecure deserialization class consistently delivers full host compromise with moderate attacker sophistication once model delivery is achieved, making it a serious risk for any team using CosyVoice in development or research environments. Until an official patch is available, restrict CosyVoice deployments to models loaded from verified, signed sources, audit any torch.load() calls in your own ML codebases for the missing weights_only=True flag, and treat untrusted model files with the same scrutiny as untrusted executables.

Sources: NVD ATLAS

What is the risk?

Despite the absence of a CVSS score at publication time, this vulnerability carries materially high risk. The underlying weakness — torch.load() without weights_only=True — is a well-understood and documented attack class in the ML ecosystem, with proof-of-concept pickle payload generation being trivial using publicly available tools. The blast radius is scoped to environments running CosyVoice Web UI against externally sourced model directories, which describes many voice AI research and prototyping setups. Full RCE with no privilege escalation required post-deserialization places this in the critical severity band pending formal CVSS scoring. The lack of active exploitation and KEV listing moderates immediate urgency, but the exploit pathway is accessible to moderately skilled adversaries and the target demographic (AI/ML developers) routinely loads third-party models, increasing surface area exposure.

How does the attack unfold?

Craft Malicious Model

Adversary generates weaponized .pt files (llm.pt, flow.pt, hift.pt) containing pickle payloads that execute arbitrary Python code upon deserialization.

AML.T0018.002

Distribute via Model Supply Chain

Adversary publishes the malicious model directory to a public model hub, GitHub repository, or delivers it via social engineering to target AI/ML developers.

AML.T0010.003

Trigger Unsafe Deserialization

Victim launches the CosyVoice Web UI pointing to the malicious model directory; torch.load() deserializes the pickle payload without sanitization.

AML.T0011.000

Host Compromise

Arbitrary code executes with victim's OS privileges, enabling credential theft, reverse shell establishment, persistence installation, or lateral movement into CI/CD infrastructure.

AML.T0112.001

Craft Malicious Model

Adversary generates weaponized .pt files (llm.pt, flow.pt, hift.pt) containing pickle payloads that execute arbitrary Python code upon deserialization.

AML.T0018.002

Distribute via Model Supply Chain

Adversary publishes the malicious model directory to a public model hub, GitHub repository, or delivers it via social engineering to target AI/ML developers.

AML.T0010.003

Trigger Unsafe Deserialization

Victim launches the CosyVoice Web UI pointing to the malicious model directory; torch.load() deserializes the pickle payload without sanitization.

AML.T0011.000

Host Compromise

Arbitrary code executes with victim's OS privileges, enabling credential theft, reverse shell establishment, persistence installation, or lateral movement into CI/CD infrastructure.

AML.T0112.001

How severe is it?

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Immediate: Stop loading CosyVoice models from any unverified external source. Treat all externally sourced .pt files as untrusted executables until provenance is confirmed.
Workaround: If using a forked or custom version, patch the model loading calls to use torch.load(path, weights_only=True) and validate that all model files pass safetensors format validation where possible.
Audit: Scan your codebase for any torch.load() calls lacking weights_only=True — tools like semgrep can be used with a custom rule targeting this pattern.
Detection: Monitor process execution events triggered by Python interpreter during model loading phases; unexpected subprocess spawns or network connections during torch.load() are indicators of compromise.
Long-term: Migrate model weight storage to the safetensors format, which eliminates pickle deserialization entirely and is the PyTorch-recommended secure alternative.
Patch: Track the upstream CosyVoice repository for a commit that introduces weights_only=True and pin to that commit once available.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0112.001 - AI Artifacts

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.1 - AI supply chain management A.6.2.3 - AI system security controls in design and development

NIST AI RMF

GOVERN 6.2 - Organizational teams document AI risk across supply chain MANAGE 2.2 - Mechanisms to sustain AI risk treatment

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-31252?

CosyVoice, an open-source text-to-speech framework by Alibaba's FunAudioLLM, loads PyTorch model weight files using torch.load() without the weights_only=True parameter, allowing any Python object to be deserialized from a malicious .pt file — resulting in arbitrary code execution on the victim's host. The realistic attack path involves an adversary distributing a weaponized model directory through a public model hub, shared link, or compromised internal repository, then relying on a developer or researcher to point the CosyVoice Web UI at it — a social engineering vector that is low-friction in AI/ML teams where sharing pre-trained models is routine. No CVSS score or active exploitation is confirmed, and there is no KEV entry or public exploit, but the insecure deserialization class consistently delivers full host compromise with moderate attacker sophistication once model delivery is achieved, making it a serious risk for any team using CosyVoice in development or research environments. Until an official patch is available, restrict CosyVoice deployments to models loaded from verified, signed sources, audit any torch.load() calls in your own ML codebases for the missing weights_only=True flag, and treat untrusted model files with the same scrutiny as untrusted executables.

Is CVE-2026-31252 actively exploited?

No confirmed active exploitation of CVE-2026-31252 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-31252?

1. Immediate: Stop loading CosyVoice models from any unverified external source. Treat all externally sourced .pt files as untrusted executables until provenance is confirmed. 2. Workaround: If using a forked or custom version, patch the model loading calls to use torch.load(path, weights_only=True) and validate that all model files pass safetensors format validation where possible. 3. Audit: Scan your codebase for any torch.load() calls lacking weights_only=True — tools like semgrep can be used with a custom rule targeting this pattern. 4. Detection: Monitor process execution events triggered by Python interpreter during model loading phases; unexpected subprocess spawns or network connections during torch.load() are indicators of compromise. 5. Long-term: Migrate model weight storage to the safetensors format, which eliminates pickle deserialization entirely and is the PyTorch-recommended secure alternative. 6. Patch: Track the upstream CosyVoice repository for a commit that introduces weights_only=True and pin to that commit once available.

What systems are affected by CVE-2026-31252?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, voice AI pipelines, local AI development environments.

What is the CVSS score for CVE-2026-31252?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesvoice AI pipelineslocal AI development environments

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0112.001 AI Artifacts

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.10.1, A.6.2.3

NIST AI RMF: GOVERN 6.2, MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.

Exploitation Scenario

An adversary targeting an AI/ML development team creates a fork of the CosyVoice model repository on GitHub or uploads a model archive to Hugging Face Hub with a convincing name and README. The malicious llm.pt, flow.pt, or hift.pt files contain a crafted pickle payload that executes a reverse shell or credential harvester when deserialized. The adversary promotes the model via forums, X/Twitter, or direct outreach to the voice AI community. A developer downloads the model directory, runs the standard CosyVoice Web UI launch command pointing to the malicious directory, and during the model loading phase torch.load() deserializes the pickle payload — executing arbitrary Python code with the developer's privileges. From that foothold, the attacker exfiltrates cloud credentials from environment variables or ~/.aws, pivots to internal repositories, or installs persistent access tooling.