Model
The model itself is an attack surface separate from the code that runs it. The model file is the first concern: pickle-based formats (PyTorch .bin, joblib, older HuggingFace) execute arbitrary code on load, so loading an untrusted model is loading untrusted code; safetensors solves this but adoption is incomplete. The model's behaviour is the second concern: adversarial examples bypass classifiers used as security controls, backdoor patterns planted during training survive deployment unless explicitly tested for, and model-extraction queries can clone proprietary fine-tunes. Production model registries (HuggingFace Hub, Ollama Library) have hosted backdoored variants of popular base models; HuggingFace now scans uploads for known-bad patterns, but defenses lag attacks. We track CVEs against model formats, model-loader libraries, and published research demonstrating new model-level attack classes against shipped commercial models.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-5241 | transformers: trust_remote_code bypass enables RCE via model load | transformers | 9.6 |
| HIGH | CVE-2026-46309 | Linux Xe iGPU: cache-bypass leaks cross-process stale data | 7.0 | |
| MEDIUM | CVE-2026-47155 | vLLM: revision pin bypass loads unreviewed artifacts | vllm | 6.5 |
| HIGH | CVE-2026-41523 | vLLM: assert bypass → RCE via poisoned HuggingFace model | vllm | 7.5 |
| MEDIUM | CVE-2026-47748 | stable-diffusion.cpp: OOB read crash via crafted .ckpt file | 5.5 | |
| HIGH | CVE-2026-47749 | stable-diffusion.cpp: heap overflow in .ckpt model parser | 7.8 | |
| HIGH | CVE-2026-47750 | stable-diffusion.cpp: heap overflow via crafted .ckpt model | 7.8 | |
| HIGH | CVE-2026-47747 | stable-diffusion.cpp: .ckpt heap overflow enables RCE | 7.8 | |
| CRITICAL | CVE-2026-48797 | backpropagate: auth bypass exposes LLM training plane | backpropagate | - |
| MEDIUM | CVE-2026-12491 | vLLM: image metadata mishandling corrupts multimodal inputs | rhaiis/vllm-cpu-rhel9 | 4.8 |
| UNKNOWN | CVE-2026-53923 | vLLM: integer truncation leaks GPU memory cross-tenant | vllm | - |
| UNKNOWN | CVE-2026-53875 | picklescan: scanner bypass enables PyTorch RCE | picklescan | - |
| CRITICAL | CVE-2025-71321 | picklescan: blocklist bypass allows arbitrary file write/RCE | picklescan | 9.8 |
| CRITICAL | CVE-2025-71320 | picklescan: deny-list bypass enables arbitrary RCE | picklescan | 9.8 |
| CRITICAL | CVE-2025-71323 | picklescan: ctypes bypass enables full RCE via pickle files | picklescan | 9.8 |
| CRITICAL | CVE-2025-71325 | picklescan: scanner bypass enables RCE via model files | picklescan | 9.8 |
| HIGH | CVE-2025-71322 | PickleScan: pty.spawn bypass enables RCE in model scans | PickleScan | 8.8 |
| CRITICAL | CVE-2026-3490 | picklescan: blocklist bypass enables full RCE | picklescan | 10.0 |
| HIGH | CVE-2026-53872 | picklescan: arbitrary file read bypasses RCE blocklist | picklescan | 7.5 |
| CRITICAL | CVE-2026-53874 | picklescan: scanner bypass enables pickle RCE | picklescan | 9.8 |