CVE-2026-4538 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

CVE-2026-4538 is a deserialization vulnerability in PyTorch's pt2 model loader with a public exploit and no vendor patch in sight. Any environment loading external or shared .pt2 compiled model files is at risk of arbitrary code execution on the loading host. Immediately restrict which model files your pipelines load and from where — treat all external .pt2 artifacts as untrusted until PyTorch ships a fix.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Advanced

Recommended Action

1. Audit all sources from which your pipelines load .pt2 files — block loading from untrusted or external sources immediately. 2. Enforce allowlisting of model artifact registries; reject .pt2 files not signed or checksummed against a known-good manifest. 3. Run model loading operations in isolated, unprivileged sandboxes or containers with no network access and minimal filesystem scope. 4. Monitor for unexpected process spawning or network connections from PyTorch inference/training processes. 5. Track PR #176791 on pytorch/pytorch and apply the patch as soon as it merges — pin to the fixed version in all dependency manifests. 6. Until patched, consider replacing pt2 loading with safer serialization formats (ONNX, SafeTensors) where operationally feasible. 7. Scan existing .pt2 artifacts in your model registry for unexpected executable content.

Classification

Model Poisoning Code Execution Framework RAG Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0035 - AI Artifact Collection AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system supply chain security A.9.7 - AI system resource management and integrity

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management include third-party software MANAGE 2.2 - Mechanisms to sustain deployed AI system performance and security

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Technical Details

NVD Description

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

Exploitation Scenario

An adversary with access to a shared model repository or artifact store (e.g., an internal MLflow registry, an S3 bucket, or a shared NFS mount used by a training cluster) crafts a malicious .pt2 file embedding a deserialization payload. When an automated pipeline or data scientist loads the file via PyTorch's pt2 Loading Handler, the payload executes in the process context — potentially establishing a reverse shell, exfiltrating environment variables and cloud credentials, or poisoning the training environment. In multi-tenant GPU clusters where researchers share model checkpoints, the local access requirement is trivially satisfied by any authenticated cluster user.

Weaknesses (CWE)

CWE-20 Primary CWE-502 Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published

March 22, 2026

Last Modified

March 23, 2026

First Seen

March 22, 2026