AI Threat Alert
CVE-2026-47748: stable-diffusion.cpp: OOB read crash via crafted .ckpt file
MEDIUMstable-diffusion.cpp versions prior to master-584-0a7ae07 contain an out-of-bounds read in the pickle opcode parser that is triggered when loading a crafted or truncated .ckpt checkpoint file from an untrusted source. The attack requires local execution with user interaction — an adversary uploads a malicious .ckpt to a model-sharing platform, waits for a developer or automated pipeline to ingest it, and crashes the host process; CVSS confirms availability-only impact with no confidentiality or integrity loss, no public exploit exists, and the vulnerability is absent from CISA KEV, all of which lower urgency relative to critical-severity peers. LibFuzzer confirmed reliable crash induction in under one second on malformed inputs, meaning exploitation is trivially easy once the file is delivered into any application that auto-loads community models. Teams running stable-diffusion.cpp-based inference services should upgrade to the patched commit immediately and enforce a durable policy of loading only .safetensors files from verified sources.
What is the risk?
Medium overall risk. CVSS 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) is accurate — this is a local, user-triggered crash with no code execution, memory disclosure, or data exfiltration potential. The primary concern is service availability for production image generation APIs that auto-ingest community model files without provenance checks. No public exploit or scanner template exists; EPSS is unavailable but the crash is trivially reproducible. Organizations with automated MLOps pipelines that pull .ckpt files from public repositories (Civitai, HuggingFace) face the highest exposure; air-gapped or curated-source deployments are at negligible risk.
How does the attack unfold?
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Update to commit master-584-0a7ae07 or later, which adds consistent buffer-end checks throughout the pickle opcode parser in src/model.cpp.
-
Workaround (if immediate patch is not possible): Disable loading of .ckpt files from untrusted or unverified sources; enforce allow-lists of model origins with checksum verification.
-
Format migration: Mandate .safetensors format for all model ingestion pipelines — safetensors does not use Python pickle and eliminates this entire class of vulnerability.
-
Detection: Monitor inference service processes for unexpected crashes on model load; treat repeated crash-on-load patterns as a potential indicator of malicious file delivery in the pipeline.
-
Pipeline hardening: Integrate picklescan or fickling into CI/CD or model ingestion gates to scan incoming .ckpt files before they reach the runtime.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-47748?
stable-diffusion.cpp versions prior to master-584-0a7ae07 contain an out-of-bounds read in the pickle opcode parser that is triggered when loading a crafted or truncated .ckpt checkpoint file from an untrusted source. The attack requires local execution with user interaction — an adversary uploads a malicious .ckpt to a model-sharing platform, waits for a developer or automated pipeline to ingest it, and crashes the host process; CVSS confirms availability-only impact with no confidentiality or integrity loss, no public exploit exists, and the vulnerability is absent from CISA KEV, all of which lower urgency relative to critical-severity peers. LibFuzzer confirmed reliable crash induction in under one second on malformed inputs, meaning exploitation is trivially easy once the file is delivered into any application that auto-loads community models. Teams running stable-diffusion.cpp-based inference services should upgrade to the patched commit immediately and enforce a durable policy of loading only .safetensors files from verified sources.
Is CVE-2026-47748 actively exploited?
No confirmed active exploitation of CVE-2026-47748 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-47748?
1. Patch: Update to commit master-584-0a7ae07 or later, which adds consistent buffer-end checks throughout the pickle opcode parser in src/model.cpp. 2. Workaround (if immediate patch is not possible): Disable loading of .ckpt files from untrusted or unverified sources; enforce allow-lists of model origins with checksum verification. 3. Format migration: Mandate .safetensors format for all model ingestion pipelines — safetensors does not use Python pickle and eliminates this entire class of vulnerability. 4. Detection: Monitor inference service processes for unexpected crashes on model load; treat repeated crash-on-load patterns as a potential indicator of malicious file delivery in the pipeline. 5. Pipeline hardening: Integrate picklescan or fickling into CI/CD or model ingestion gates to scan incoming .ckpt files before they reach the runtime.
What systems are affected by CVE-2026-47748?
This vulnerability affects the following AI/ML architecture patterns: Image generation pipelines, Model serving, ML model ingestion pipelines.
What is the CVSS score for CVE-2026-47748?
CVE-2026-47748 has a CVSS v3.1 base score of 5.5 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.003 Model AML.T0011.000 Unsafe AI Artifacts AML.T0058 Publish Poisoned Models Compliance Controls Affected
What are the technical details?
Original Advisory
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing. The pickle .ckpt parser in src/model.cpp did not consistently check that enough input remained before reading opcode arguments or advancing the parser buffer with a crafted or truncated .ckpt file. Throughout the pickle parser, opcode handlers advanced the parser position with expressions such as buffer += N without first checking that buffer + N <= buffer_end. A truncated file could therefore cause reads past the end of the metadata buffer. LibFuzzer found crashes in under one second using malformed checkpoint inputs. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. This issue has been fixed in version master-584-0a7ae07. If developers are unable to immediately update their applications, they can work around this issue by ensuring they do not load .ckpt checkpoint files from untrusted sources. They should prefer trusted model sources and safer formats such as .safetensors where possible.
Exploitation Scenario
An adversary crafts a .ckpt file with a truncated pickle stream where opcode argument reads advance the parser buffer past the end of the metadata allocation. The file is published to a popular model-sharing site under a convincing name — for example, a trending Stable Diffusion fine-tune or LoRA adapter. A developer running a stable-diffusion.cpp-based image generation service downloads the file as part of a routine model update or via an automated ingestion pipeline. When the application calls the .ckpt loader, the pickle parser executes opcode handlers that advance the buffer pointer without checking `buffer + N <= buffer_end`, reads past the end of the allocated buffer, and crashes the process. If the service is part of a production API, this results in immediate downtime. An adversary with knowledge of the target organization's model refresh schedule can time repeated uploads to sustain a persistent DoS condition.
Weaknesses (CWE)
CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] Use a language that provides appropriate memory abstractions.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain GHSA-vvpj-8cmc-gx39 10.0 picklescan: security flaw enables exploitation
Same attack type: Supply Chain