CVE-2026-47749: heap overflow in .ckpt model parser

CISO Take

A heap buffer overflow in stable-diffusion.cpp's pickle (.ckpt) parser allows a crafted PyTorch checkpoint file to trigger memcpy with an attacker-controlled length via sign confusion on the opcode length field, causing heap corruption with a realistic path to code execution. The primary risk is the AI model supply chain: developers and operators routinely download .ckpt files from public repositories like Hugging Face or CivitAI without cryptographic verification, making this a practical and low-friction delivery mechanism. EPSS data is unavailable and the vulnerability is not in CISA KEV with no public exploit code, moderating near-term exploitation likelihood — however, the low attack complexity and the fact that model loading is a trusted, routine action in every AI deployment keep this actionable. Immediate remediation: update to commit master-584-0a7ae07 or later; if updating is not yet feasible, migrate to .safetensors format and restrict .ckpt loading to cryptographically verified sources only.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 7.8 High with local attack vector and required user interaction places this below network-exploitable severity on paper, but the model download workflow in AI environments effectively bridges that gap — loading a model file is a routine, trusted action that bypasses most user suspicion. The root cause (CWE-122/CWE-787: sign confusion enabling attacker-controlled memcpy length) is a well-understood and historically exploitable class of heap overflow. No public exploit exists and CISA KEV status is negative, but any heap overflow where the attacker controls both the source and the copy length is a credible RCE candidate depending on heap layout. Risk is elevated for organizations operating local Stable Diffusion deployments or building production applications on stable-diffusion.cpp that accept externally sourced model files.

How does the attack unfold?

Craft Malicious Checkpoint

Adversary creates a .ckpt file with a malformed SHORT_BINUNICODE opcode where the signed length field is set to a negative value, which will be misinterpreted as a massive unsigned integer when passed to memcpy.

AML.T0018.002

Publish to Model Hub

Adversary uploads the weaponized .ckpt file to a public model sharing platform with a convincing model card and fabricated metadata to attract downloads from legitimate users.

AML.T0058

Victim Loads Model

A developer or operator downloads and loads the malicious checkpoint through their stable-diffusion.cpp-based application as part of routine model evaluation or deployment.

AML.T0011.000

Heap Corruption and RCE

The vulnerable pickle parser triggers memcpy with the attacker-controlled oversized length, corrupting heap memory adjacent to the allocation and enabling process crash or code execution on the host.

AML.T0010.003

Craft Malicious Checkpoint

Adversary creates a .ckpt file with a malformed SHORT_BINUNICODE opcode where the signed length field is set to a negative value, which will be misinterpreted as a massive unsigned integer when passed to memcpy.

AML.T0018.002

Publish to Model Hub

Adversary uploads the weaponized .ckpt file to a public model sharing platform with a convincing model card and fabricated metadata to attract downloads from legitimate users.

AML.T0058

Victim Loads Model

A developer or operator downloads and loads the malicious checkpoint through their stable-diffusion.cpp-based application as part of routine model evaluation or deployment.

AML.T0011.000

Heap Corruption and RCE

The vulnerable pickle parser triggers memcpy with the attacker-controlled oversized length, corrupting heap memory adjacent to the allocation and enabling process crash or code execution on the host.

AML.T0010.003

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Update stable-diffusion.cpp to commit master-584-0a7ae07 or any release tagged after this fix — this is the only complete remediation.
If immediate update is not possible, disable .ckpt file loading entirely and require .safetensors format, which avoids pickle deserialization entirely.
Establish an allowlist of trusted model sources and enforce cryptographic checksum verification (SHA-256) before loading any model file.
Run model loading in a sandboxed subprocess or container with seccomp/AppArmor profiles restricting memory operations and network access, containing the blast radius of heap corruption.
Deploy picklescan or fickling to scan .ckpt files pre-load — both tools can detect unusual or malicious pickle opcodes including anomalous SHORT_BINUNICODE payloads.
Monitor application processes for unexpected crashes during model loading as an early detection signal for exploitation attempts.

How is it classified?

Supply Chain Code Execution Model Inference AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI supply chain

NIST AI RMF

MAP 5.2 - Practices and personnel for identifying AI risks in the supply chain

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-47749?

A heap buffer overflow in stable-diffusion.cpp's pickle (.ckpt) parser allows a crafted PyTorch checkpoint file to trigger memcpy with an attacker-controlled length via sign confusion on the opcode length field, causing heap corruption with a realistic path to code execution. The primary risk is the AI model supply chain: developers and operators routinely download .ckpt files from public repositories like Hugging Face or CivitAI without cryptographic verification, making this a practical and low-friction delivery mechanism. EPSS data is unavailable and the vulnerability is not in CISA KEV with no public exploit code, moderating near-term exploitation likelihood — however, the low attack complexity and the fact that model loading is a trusted, routine action in every AI deployment keep this actionable. Immediate remediation: update to commit master-584-0a7ae07 or later; if updating is not yet feasible, migrate to .safetensors format and restrict .ckpt loading to cryptographically verified sources only.

Is CVE-2026-47749 actively exploited?

No confirmed active exploitation of CVE-2026-47749 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47749?

1. Update stable-diffusion.cpp to commit master-584-0a7ae07 or any release tagged after this fix — this is the only complete remediation. 2. If immediate update is not possible, disable .ckpt file loading entirely and require .safetensors format, which avoids pickle deserialization entirely. 3. Establish an allowlist of trusted model sources and enforce cryptographic checksum verification (SHA-256) before loading any model file. 4. Run model loading in a sandboxed subprocess or container with seccomp/AppArmor profiles restricting memory operations and network access, containing the blast radius of heap corruption. 5. Deploy picklescan or fickling to scan .ckpt files pre-load — both tools can detect unusual or malicious pickle opcodes including anomalous SHORT_BINUNICODE payloads. 6. Monitor application processes for unexpected crashes during model loading as an early detection signal for exploitation attempts.

What systems are affected by CVE-2026-47749?

This vulnerability affects the following AI/ML architecture patterns: local model inference, image generation pipelines, model evaluation workflows, AI developer toolchains, inference serving APIs.

What is the CVSS score for CVE-2026-47749?

CVE-2026-47749 has a CVSS v3.1 base score of 7.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

local model inferenceimage generation pipelinesmodel evaluation workflowsAI developer toolchainsinference serving APIs

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: MAP 5.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the SHORT_BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. A malicious checkpoint file could cause heap corruption through memcpy with an attacker-controlled length. This may lead to process crash and could potentially be leveraged for code execution depending on heap layout. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by not loading .ckpt checkpoint files from untrusted sources, and referring to trusted model sources and safer formats such as .safetensors where possible.

Exploitation Scenario

An adversary constructs a .ckpt file containing a malformed SHORT_BINUNICODE opcode where the two-byte length field is set to a negative signed value such as -1 (0xFFFF). The vulnerable handler in stable-diffusion.cpp's src/model.cpp interprets this as a very large unsigned integer (~65535), passing it directly to memcpy as the copy length. The adversary publishes this file to a popular model sharing platform under a compelling identity — a fine-tuned character model, a style LoRA, or a checkpoint with fabricated positive reviews. A developer or operator downloads the file as part of normal model evaluation, loads it through their stable-diffusion.cpp application, and the heap buffer overflow fires before any model weights are ever read. The resulting heap corruption causes either an immediate process crash (reliable denial of service) or, with crafted heap grooming in the malicious pickle stream, arbitrary write primitives enabling code execution on the host system.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow Primary CWE-787 Out-of-bounds Write Primary

CWE-122 — Heap-based Buffer Overflow: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Pre-design: Use a language or compiler that performs automatic bounds checking.
[Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.

Source: MITRE CWE corpus.