CVE-2026-4538 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

CVE-2026-4538 is a deserialization vulnerability in PyTorch's pt2 model loader with a public exploit and no vendor patch in sight. Any environment loading external or shared .pt2 compiled model files is at risk of arbitrary code execution on the loading host. Immediately restrict which model files your pipelines load and from where — treat all external .pt2 artifacts as untrusted until PyTorch ships a fix.

Risk Assessment

Medium severity by CVSS (5.3), but practically higher for AI/ML environments due to the public exploit, unpatched status, and the widespread use of PyTorch in training and inference pipelines. The local attack vector lowers the score, but in shared compute environments (Kubernetes nodes, multi-tenant GPU clusters, shared model registries) 'local' is often achievable by a threat actor who can place or tamper with model artifacts. The combination of low complexity, low privilege requirement, and public PoC makes exploitation straightforward once access to the loading path is obtained.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 6% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Advanced

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

Recommended Action

7 steps

Audit all sources from which your pipelines load .pt2 files — block loading from untrusted or external sources immediately.
Enforce allowlisting of model artifact registries; reject .pt2 files not signed or checksummed against a known-good manifest.
Run model loading operations in isolated, unprivileged sandboxes or containers with no network access and minimal filesystem scope.
Monitor for unexpected process spawning or network connections from PyTorch inference/training processes.
Track PR #176791 on pytorch/pytorch and apply the patch as soon as it merges — pin to the fixed version in all dependency manifests.
Until patched, consider replacing pt2 loading with safer serialization formats (ONNX, SafeTensors) where operationally feasible.
Scan existing .pt2 artifacts in your model registry for unexpected executable content.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Model Poisoning Code Execution Framework RAG Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0035 - AI Artifact Collection AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system supply chain security A.9.7 - AI system resource management and integrity

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management include third-party software MANAGE 2.2 - Mechanisms to sustain deployed AI system performance and security

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-4538?

CVE-2026-4538 is a deserialization vulnerability in PyTorch's pt2 model loader with a public exploit and no vendor patch in sight. Any environment loading external or shared .pt2 compiled model files is at risk of arbitrary code execution on the loading host. Immediately restrict which model files your pipelines load and from where — treat all external .pt2 artifacts as untrusted until PyTorch ships a fix.

Is CVE-2026-4538 actively exploited?

No confirmed active exploitation of CVE-2026-4538 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-4538?

1. Audit all sources from which your pipelines load .pt2 files — block loading from untrusted or external sources immediately. 2. Enforce allowlisting of model artifact registries; reject .pt2 files not signed or checksummed against a known-good manifest. 3. Run model loading operations in isolated, unprivileged sandboxes or containers with no network access and minimal filesystem scope. 4. Monitor for unexpected process spawning or network connections from PyTorch inference/training processes. 5. Track PR #176791 on pytorch/pytorch and apply the patch as soon as it merges — pin to the fixed version in all dependency manifests. 6. Until patched, consider replacing pt2 loading with safer serialization formats (ONNX, SafeTensors) where operationally feasible. 7. Scan existing .pt2 artifacts in your model registry for unexpected executable content.

What systems are affected by CVE-2026-4538?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps/CI-CD pipelines, model registries, shared GPU compute clusters, inference microservices.

What is the CVSS score for CVE-2026-4538?

CVE-2026-4538 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

Exploitation Scenario

An adversary with access to a shared model repository or artifact store (e.g., an internal MLflow registry, an S3 bucket, or a shared NFS mount used by a training cluster) crafts a malicious .pt2 file embedding a deserialization payload. When an automated pipeline or data scientist loads the file via PyTorch's pt2 Loading Handler, the payload executes in the process context — potentially establishing a reverse shell, exfiltrating environment variables and cloud credentials, or poisoning the training environment. In multi-tenant GPU clusters where researchers share model checkpoints, the local access requirement is trivially satisfied by any authenticated cluster user.