CVE-2026-4538: Input Validation flaw enables

CISO Take

CVE-2026-4538 is a deserialization vulnerability in PyTorch's pt2 model loader with a public exploit and no vendor patch in sight. Any environment loading external or shared .pt2 compiled model files is at risk of arbitrary code execution on the loading host. Immediately restrict which model files your pipelines load and from where — treat all external .pt2 artifacts as untrusted until PyTorch ships a fix.

What is the risk?

Medium severity by CVSS (5.3), but practically higher for AI/ML environments due to the public exploit, unpatched status, and the widespread use of PyTorch in training and inference pipelines. The local attack vector lowers the score, but in shared compute environments (Kubernetes nodes, multi-tenant GPU clusters, shared model registries) 'local' is often achievable by a threat actor who can place or tamper with model artifacts. The combination of low complexity, low privilege requirement, and public PoC makes exploitation straightforward once access to the loading path is obtained.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Advanced

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Audit all sources from which your pipelines load .pt2 files — block loading from untrusted or external sources immediately.
Enforce allowlisting of model artifact registries; reject .pt2 files not signed or checksummed against a known-good manifest.
Run model loading operations in isolated, unprivileged sandboxes or containers with no network access and minimal filesystem scope.
Monitor for unexpected process spawning or network connections from PyTorch inference/training processes.
Track PR #176791 on pytorch/pytorch and apply the patch as soon as it merges — pin to the fixed version in all dependency manifests.
Until patched, consider replacing pt2 loading with safer serialization formats (ONNX, SafeTensors) where operationally feasible.
Scan existing .pt2 artifacts in your model registry for unexpected executable content.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Model Poisoning Code Execution Framework RAG Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0035 - AI Artifact Collection AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system supply chain security A.9.7 - AI system resource management and integrity

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management include third-party software MANAGE 2.2 - Mechanisms to sustain deployed AI system performance and security

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-4538?

CVE-2026-4538 is a deserialization vulnerability in PyTorch's pt2 model loader with a public exploit and no vendor patch in sight. Any environment loading external or shared .pt2 compiled model files is at risk of arbitrary code execution on the loading host. Immediately restrict which model files your pipelines load and from where — treat all external .pt2 artifacts as untrusted until PyTorch ships a fix.

Is CVE-2026-4538 actively exploited?

No confirmed active exploitation of CVE-2026-4538 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-4538?

1. Audit all sources from which your pipelines load .pt2 files — block loading from untrusted or external sources immediately. 2. Enforce allowlisting of model artifact registries; reject .pt2 files not signed or checksummed against a known-good manifest. 3. Run model loading operations in isolated, unprivileged sandboxes or containers with no network access and minimal filesystem scope. 4. Monitor for unexpected process spawning or network connections from PyTorch inference/training processes. 5. Track PR #176791 on pytorch/pytorch and apply the patch as soon as it merges — pin to the fixed version in all dependency manifests. 6. Until patched, consider replacing pt2 loading with safer serialization formats (ONNX, SafeTensors) where operationally feasible. 7. Scan existing .pt2 artifacts in your model registry for unexpected executable content.

What systems are affected by CVE-2026-4538?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps/CI-CD pipelines, model registries, shared GPU compute clusters, inference microservices.

What is the CVSS score for CVE-2026-4538?

CVE-2026-4538 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps/CI-CD pipelinesmodel registriesshared GPU compute clustersinference microservices

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0035 AI Artifact Collection

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.6, A.9.7

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

Exploitation Scenario

An adversary with access to a shared model repository or artifact store (e.g., an internal MLflow registry, an S3 bucket, or a shared NFS mount used by a training cluster) crafts a malicious .pt2 file embedding a deserialization payload. When an automated pipeline or data scientist loads the file via PyTorch's pt2 Loading Handler, the payload executes in the process context — potentially establishing a reverse shell, exfiltrating environment variables and cloud credentials, or poisoning the training environment. In multi-tenant GPU clusters where researchers share model checkpoints, the local access requirement is trivially satisfied by any authenticated cluster user.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary CWE-502 Deserialization of Untrusted Data Primary

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.