AI Threat Alert
CVE-2026-47750: stable-diffusion.cpp: heap overflow via crafted .ckpt model
HIGHstable-diffusion.cpp contains a heap buffer overflow in its pickle .ckpt checkpoint parser — a crafted model file without an expected newline delimiter causes the GLOBAL opcode handler in src/model.cpp to use -1 as a copy length, corrupting heap memory and creating conditions for arbitrary code execution on the host running inference. The realistic attack path is malicious model distribution: an adversary publishes a weaponized .ckpt to community hubs like CivitAI or HuggingFace, where downloading unvetted community fine-tunes is standard practice, dramatically widening the blast radius beyond what the local attack vector implies. There is no public exploit and the CVE is not in CISA KEV, but CVSS 7.8 with low attack complexity once the file is loaded represents a meaningful risk for any team running diffusion model inference pipelines. Patch to commit master-584-0a7ae07 immediately and enforce a policy of accepting only .safetensors format — which eliminates pickle deserialization entirely — from verified, trusted sources.
What is the risk?
Medium-high risk for organizations deploying stable-diffusion.cpp in image generation pipelines or research environments. The local attack vector and required user interaction limit opportunistic remote exploitation, but the threat model for AI/ML teams is not a remote attacker — it is a poisoned model artifact loaded through normal workflows. Low attack complexity post-delivery, combined with full CIA impact (C:H/I:H/A:H), means successful exploitation is straightforward once a victim loads the file. The absence of a public PoC and KEV entry reduces immediate urgency, but the growing ecosystem of community-shared diffusion models makes the supply chain exposure significant.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| stable-diffusion.cpp | — | — | No patch |
Do you use stable-diffusion.cpp? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch: Update stable-diffusion.cpp to commit master-584-0a7ae07 or later.
-
Format policy: Enforce .safetensors as the only accepted model format — it does not use pickle deserialization and eliminates this class of vulnerability entirely.
-
Source allowlisting: Restrict model loading to a curated registry of verified sources; block downloads from arbitrary community sources at the network or application layer.
-
Sandbox model loading: Run the model loading process in an isolated container or VM with no access to sensitive credentials or production data.
-
Detection: Audit model inventories for .ckpt files sourced from unverified origins; use tools like picklescan or fickling to scan .ckpt files before loading.
-
In CI/CD: Gate automated model loading jobs on format and provenance checks before execution.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-47750?
stable-diffusion.cpp contains a heap buffer overflow in its pickle .ckpt checkpoint parser — a crafted model file without an expected newline delimiter causes the GLOBAL opcode handler in src/model.cpp to use -1 as a copy length, corrupting heap memory and creating conditions for arbitrary code execution on the host running inference. The realistic attack path is malicious model distribution: an adversary publishes a weaponized .ckpt to community hubs like CivitAI or HuggingFace, where downloading unvetted community fine-tunes is standard practice, dramatically widening the blast radius beyond what the local attack vector implies. There is no public exploit and the CVE is not in CISA KEV, but CVSS 7.8 with low attack complexity once the file is loaded represents a meaningful risk for any team running diffusion model inference pipelines. Patch to commit master-584-0a7ae07 immediately and enforce a policy of accepting only .safetensors format — which eliminates pickle deserialization entirely — from verified, trusted sources.
Is CVE-2026-47750 actively exploited?
No confirmed active exploitation of CVE-2026-47750 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-47750?
1. Patch: Update stable-diffusion.cpp to commit master-584-0a7ae07 or later. 2. Format policy: Enforce .safetensors as the only accepted model format — it does not use pickle deserialization and eliminates this class of vulnerability entirely. 3. Source allowlisting: Restrict model loading to a curated registry of verified sources; block downloads from arbitrary community sources at the network or application layer. 4. Sandbox model loading: Run the model loading process in an isolated container or VM with no access to sensitive credentials or production data. 5. Detection: Audit model inventories for .ckpt files sourced from unverified origins; use tools like picklescan or fickling to scan .ckpt files before loading. 6. In CI/CD: Gate automated model loading jobs on format and provenance checks before execution.
What systems are affected by CVE-2026-47750?
This vulnerability affects the following AI/ML architecture patterns: local inference, model serving, image generation pipelines, training pipelines.
What is the CVSS score for CVE-2026-47750?
CVE-2026-47750 has a CVSS v3.1 base score of 7.8 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.003 Model AML.T0011.000 Unsafe AI Artifacts AML.T0018.002 Embed Malware AML.T0058 Publish Poisoned Models AML.T0112.001 AI Artifacts Compliance Controls Affected
What are the technical details?
Original Advisory
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the GLOBAL opcode handler. The issue was caused by missing validation when searching for newline-delimited fields. A crafted .ckpt file without the expected newline could cause the parser to use -1 as a copy length, resulting in immediate heap corruption. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by following these instructions: do not load .ckpt checkpoint files from untrusted sources, and prefer trusted model sources and safer formats such as .safetensors where possible.
Exploitation Scenario
An adversary crafts a .ckpt file containing a malicious pickle stream where the GLOBAL opcode record is missing its expected newline delimiter. They upload it to a public model sharing platform disguised as a popular Stable Diffusion LoRA or fine-tune, including realistic metadata and a plausible README. A developer or automated inference pipeline downloads and loads the file using stable-diffusion.cpp — the parser reaches the GLOBAL opcode handler, fails to find the newline, and computes a copy length of -1 (via implicit integer wrap or unchecked signed arithmetic), corrupting the heap. The corruption is leveraged to redirect execution flow, granting the adversary arbitrary code execution on the host running inference, from which they exfiltrate API keys, establish persistence, or pivot to adjacent systems.
Weaknesses (CWE)
CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.
- [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
- github.com/leejet/stable-diffusion.cpp/commit/0a7ae07f948eff4611968a65a22bd7c7031ad74f x_refsource_MISC
- github.com/leejet/stable-diffusion.cpp/pull/1443 x_refsource_MISC
- github.com/leejet/stable-diffusion.cpp/security/advisories/GHSA-v37x-jwp7-mcvc x_refsource_CONFIRM
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution