CVE-2026-47747: stable-diffusion.cpp .ckpt heap

CISO Take

A heap buffer overflow in stable-diffusion.cpp's pickle parser allows a crafted .ckpt model file to corrupt heap memory and likely achieve code execution on any machine running an affected version. The library underpins native inference for Stable Diffusion, Flux, Wan, and Qwen Image models, meaning the attack surface spans research workstations, self-hosted image generation pipelines, and any deployment that loads .ckpt checkpoints downloaded from community hubs. With no public exploit, no EPSS data, and no KEV listing, opportunistic mass exploitation is unlikely today — but the realistic threat model is AI supply chain poisoning: an adversary uploads a weaponized .ckpt to a model repository and waits for organic downloads. Update to commit master-584-0a7ae07 immediately, halt loading .ckpt files from unverified sources, and migrate to .safetensors format, which eliminates the pickle deserialization attack surface entirely.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 7.8 High with low attack complexity and no privileges required positions this as a credible escalation risk, tempered by the local attack vector and required user interaction. The critical contextual factor is model supply chain trust: AI teams routinely pull .ckpt files from community hubs without cryptographic verification, making the actual exploitation path realistic despite moderate technical complexity. This is the first CVE disclosed for stable-diffusion.cpp, there is no public PoC, and it is not in CISA KEV. Overall risk posture is Elevated for organizations running stable-diffusion.cpp against untrusted model sources; Lower for air-gapped or strictly curated model inventories.

How does the attack unfold?

Artifact Weaponization

Adversary crafts a .ckpt file containing a BINUNICODE opcode with a negative signed length value designed to trigger sign confusion in stable-diffusion.cpp's pickle parser.

AML.T0011.000

Supply Chain Distribution

Weaponized .ckpt is uploaded to a public model hub under a convincing checkpoint name to maximize organic downloads by developers and automated pipelines.

AML.T0058

Heap Overflow Trigger

Victim's pipeline loads the malicious .ckpt; src/model.cpp passes the sign-confused length to memcpy, writing far beyond the allocated heap buffer and corrupting adjacent memory.

AML.T0010.003

Host Compromise

Heap corruption yields arbitrary code execution on the inference server or workstation, granting the adversary full confidentiality, integrity, and availability impact on the host.

AML.T0112.001

Artifact Weaponization

Adversary crafts a .ckpt file containing a BINUNICODE opcode with a negative signed length value designed to trigger sign confusion in stable-diffusion.cpp's pickle parser.

AML.T0011.000

Supply Chain Distribution

Weaponized .ckpt is uploaded to a public model hub under a convincing checkpoint name to maximize organic downloads by developers and automated pipelines.

AML.T0058

Heap Overflow Trigger

Victim's pipeline loads the malicious .ckpt; src/model.cpp passes the sign-confused length to memcpy, writing far beyond the allocated heap buffer and corrupting adjacent memory.

AML.T0010.003

Host Compromise

Heap corruption yields arbitrary code execution on the inference server or workstation, granting the adversary full confidentiality, integrity, and availability impact on the host.

AML.T0112.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
stable-diffusion.cpp	—	—	No patch

Do you use stable-diffusion.cpp? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Update stable-diffusion.cpp to commit master-584-0a7ae07 or any subsequent release.
Until patched: only load .ckpt files whose SHA-256 hash matches a value obtained from the original trusted author via a separate channel.
Migrate model loading pipelines to .safetensors format, which does not use pickle and eliminates this entire attack class.
Scan all .ckpt files with picklescan or fickling prior to loading — both tools detect malicious BINUNICODE and related opcode abuse.
Apply seccomp or AppArmor profiles to inference processes to constrain post-exploitation blast radius.
Track GitHub Advisory GHSA-mghm-5mqc-pwmp and the upstream PR #1443 for any follow-on patches.

How is it classified?

Supply Chain Code Execution Model Inference AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

Clause 8.4 - AI System Acquisition, Development and Maintenance

NIST AI RMF

MANAGE 2.2 - Mechanisms to Sustain Value and Manage Risk in Deployed AI

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-47747?

A heap buffer overflow in stable-diffusion.cpp's pickle parser allows a crafted .ckpt model file to corrupt heap memory and likely achieve code execution on any machine running an affected version. The library underpins native inference for Stable Diffusion, Flux, Wan, and Qwen Image models, meaning the attack surface spans research workstations, self-hosted image generation pipelines, and any deployment that loads .ckpt checkpoints downloaded from community hubs. With no public exploit, no EPSS data, and no KEV listing, opportunistic mass exploitation is unlikely today — but the realistic threat model is AI supply chain poisoning: an adversary uploads a weaponized .ckpt to a model repository and waits for organic downloads. Update to commit master-584-0a7ae07 immediately, halt loading .ckpt files from unverified sources, and migrate to .safetensors format, which eliminates the pickle deserialization attack surface entirely.

Is CVE-2026-47747 actively exploited?

No confirmed active exploitation of CVE-2026-47747 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47747?

1. Update stable-diffusion.cpp to commit master-584-0a7ae07 or any subsequent release. 2. Until patched: only load .ckpt files whose SHA-256 hash matches a value obtained from the original trusted author via a separate channel. 3. Migrate model loading pipelines to .safetensors format, which does not use pickle and eliminates this entire attack class. 4. Scan all .ckpt files with picklescan or fickling prior to loading — both tools detect malicious BINUNICODE and related opcode abuse. 5. Apply seccomp or AppArmor profiles to inference processes to constrain post-exploitation blast radius. 6. Track GitHub Advisory GHSA-mghm-5mqc-pwmp and the upstream PR #1443 for any follow-on patches.

What systems are affected by CVE-2026-47747?

This vulnerability affects the following AI/ML architecture patterns: image generation pipelines, model serving, local inference environments, AI model distribution pipelines.

What is the CVSS score for CVE-2026-47747?

CVE-2026-47747 has a CVSS v3.1 base score of 7.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

image generation pipelinesmodel servinglocal inference environmentsAI model distribution pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: Clause 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by only loading .ckpt checkpoint files from trusted sources and preferring trusted model sources and safer formats such as .safetensors where possible.

Exploitation Scenario

An adversary crafts a .ckpt file containing a malformed BINUNICODE opcode whose 4-byte length field encodes a large negative signed integer. When the victim's pipeline loads the file, stable-diffusion.cpp's pickle parser in src/model.cpp interprets the value as an unsigned size and passes it to memcpy, writing far beyond the allocated heap buffer. The adversary uploads this file to HuggingFace Hub or CivitAI under a convincing model name (e.g., a high-resolution fine-tune of a popular checkpoint). A developer or automated download script pulls and test-loads it; heap corruption enables shellcode execution, yielding a reverse shell on the developer's workstation or inference server — with access to local model weights, API keys in environment variables, and internal network connectivity.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow CWE-787 Out-of-bounds Write

CWE-122 — Heap-based Buffer Overflow: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Pre-design: Use a language or compiler that performs automatic bounds checking.
[Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.

Source: MITRE CWE corpus.