{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24747", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-26T19:06:16.059Z", "datePublished": "2026-01-27T21:13:46.878Z", "dateUpdated": "2026-02-26T15:04:50.008Z"}, "containers": {"cna": {"title": "PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p"}, {"name": "https://github.com/pytorch/pytorch/issues/163105", "tags": ["x_refsource_MISC"], "url": "https://github.com/pytorch/pytorch/issues/163105"}, {"name": "https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139", "tags": ["x_refsource_MISC"], "url": "https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139"}, {"name": "https://github.com/pytorch/pytorch/releases/tag/v2.10.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/pytorch/pytorch/releases/tag/v2.10.0"}], "affected": [{"vendor": "pytorch", "product": "pytorch", "versions": [{"version": "< 2.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T21:13:46.878Z"}, "descriptions": [{"lang": "en", "value": "PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue."}], "source": {"advisory": "GHSA-63cw-57p8-fm3p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24747", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-30T04:55:40.763016Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:50.008Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24747", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T15:13:59.656526Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:14:05.710Z"}}], "cna": {"title": "PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files", "source": {"advisory": "GHSA-63cw-57p8-fm3p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pytorch", "product": "pytorch", "versions": [{"status": "affected", "version": "< 2.10.0"}]}], "references": [{"url": "https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p", "name": "https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pytorch/pytorch/issues/163105", "name": "https://github.com/pytorch/pytorch/issues/163105", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139", "name": "https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pytorch/pytorch/releases/tag/v2.10.0", "name": "https://github.com/pytorch/pytorch/releases/tag/v2.10.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T21:13:46.878Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24747", "state": "PUBLISHED", "dateUpdated": "2026-01-30T04:55:40.231Z", "dateReserved": "2026-01-26T19:06:16.059Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T21:13:46.878Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:pytorch:*:*:*:*:*:python:*:*", "matchCriteriaId": "A0FD31BC-C8CC-47C0-B39B-CD8BFDFE8F97", "versionEndExcluding": "2.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue."}], "id": "CVE-2026-24747", "lastModified": "2026-01-30T21:51:55.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-27T22:15:56.470", "references": [{"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/pytorch/pytorch/issues/163105"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/pytorch/pytorch/releases/tag/v2.10.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading", "id": "2433612", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433612"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "(CWE-502|CWE-94)", "details": ["PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.", "A flaw was found in PyTorch, a Python package for tensor computation. A remote attacker could craft a malicious checkpoint file, which, when loaded using the `weights_only` unpickler, could lead to memory corruption. This vulnerability may enable an attacker to achieve arbitrary code execution on the affected system."], "name": "CVE-2026-24747", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-codeflare-operator-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-codeflare-operator-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-training-rocm62-torch24-py311-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-training-rocm62-torch25-py311-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-training-rocm64-torch28-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-gaudi-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-01-27T21:13:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24747\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24747\nhttps://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139\nhttps://github.com/pytorch/pytorch/issues/163105\nhttps://github.com/pytorch/pytorch/releases/tag/v2.10.0\nhttps://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T19:49:46.489782+00:00", "value": {"mitigation_remediation": ["Upgrade PyTorch to version 2.10.0 or later, which contains the fixed unpickler implementation.", "If an immediate upgrade is not possible, avoid loading checkpoints from untrusted sources by validating the file against a trusted hash or a whitelist before calling torch.load with weights_only=True.", "If weights_only usage must be maintained, replace the default unpickler with a custom implementation that blocks arbitrary code execution, or ensure the checkpoint files are created and managed in a trusted environment."], "summary": {"action": "Patch immediately", "impact": "Remote code execution via deserialized checkpoint files"}, "threat_synthesis": {"affected_systems": "All installations of PyTorch older than version 2.10.0 are vulnerable, including those distributed by the Linux Foundation. Users who import the PyTorch package and load checkpoint files with the weights_only=True flag are at risk.", "description_and_impact": "PyTorch\u2019s weights_only unpickler allows a maliciously crafted .pth file to corrupt memory and potentially trigger arbitrary code execution when loaded with torch.load(..., weights_only=True). The flaw is an unsafe deserialization vulnerability, as reflected by CWE-502 and an underlying limitation of the unpickling engine, CWE-94.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity vulnerability. Although the EPSS score is less than 1%, indicating a low current likelihood of widespread exploitation, the potential impact warrants prompt remediation. The issue is not yet listed in the CISA KEV catalog. The attack can occur when a malicious checkpoint file is supplied to the application; the most likely vector is remote input over any channel that delivers the .pth file to the target system, such as file sharing, network transfer, or artifact deployment. This inferred vector comes from the description that the file can be supplied by an attacker and the required torch.load operation."}}}}, "created": "2026-01-28T12:22:21.636813+00:00", "updated": "2026-04-18T20:00:09.287967+00:00", "vendors": ["pytorch", "pytorch$PRODUCT$pytorch"]}