CVE-2025-39782 jbd2: prevent softlockup in jbd2_log_do_checkpoint()

In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2logdocheckpoint Both jbd2logdocheckpoint and jbd2journalshrinkcheckpointlist periodically release jlistlock after processing a batch of buffers to avoid long hold times on the jlistlock. However,...

CVE-2025-58756

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading method...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from the jbd2logdocheckpoint function not handling scheduling correctly, which could lead to a soft lockup...

GHSA-6VM5-6JV9-RJPJ MONAI: Unsafe torch usage may lead to arbitrary code execution

Summary In modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints. This is a common practice when...

MONAI: Unsafe torch usage may lead to arbitrary code execution

Summary In modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints. This is a common practice when...

PYSEC-2025-141

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading method...

CVE-2025-58756

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading method...

CVE-2025-58756 MONAI's unsafe torch usage may lead to arbitrary code execution

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading method...

CVE-2025-58756 MONAI's unsafe torch usage may lead to arbitrary code execution

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading method...

Linux Distros Unpatched Vulnerability : CVE-2025-0426

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint...

NVIDIA Transformers4Rec load_model_trainer_states_from_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NVIDIA Transformers4Rec. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...

PT-2025-37239

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A vulnerability exists in the Linux kernel related to potential softlockups within the jbd2 journaling system. Specifically, the jbd2 log do checkpoint function could, under certain...

Linux Distros Unpatched Vulnerability : CVE-2017-18344

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The timercreate syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent-sigevnotify field,...

Linux Distros Unpatched Vulnerability : CVE-2024-34027

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix to cover reserve,releasecompressblocks w/ cprwsem lock It needs to cover...

Deserialization of Untrusted Data

Overview llamafactory is an Easy-to-use LLM fine-tuning framework Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the Checkpoint path parameter in the WebUI interface during the training process. An attacker can exploit this vulnerability by supplying a...

DEBIAN-CVE-2025-38333

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to bail out in getnewsegment ------------ cut here ------------ WARNING: CPU: 3 PID: 579 at fs/f2fs/segment.c:2832 newcurseg+0x5e8/0x6dc pc : newcurseg+0x5e8/0x6dc Call trace: newcurseg+0x5e8/0x6dc...

Remote Code Execution (RCE)

llamafactory is vulnerable to Remote Code Execution RCE. The vulnerability is due to the unsafe loading of the vheadfile argument without the weightsonly=True safeguard, allowing attackers to exploit the Checkpoint path parameter via the WebUI to execute arbitrary code...

GHSA-XJ56-P8MM-QMXJ LLaMA-Factory allows Code Injection through improper vhead_file safeguards

Summary A critical remote code execution vulnerability was discovered during the Llama Factory training process. This vulnerability arises because the vheadfile is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passi...

CVE-2024-3568

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the loadrepocheckpoint function of the TFPreTrainedModel class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting...

CVE-2021-41203

TensorFlow is an open source platform for machine learning. In affected versions an attacker can trigger undefined behavior, integer overflows, segfaults and CHECK-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints loading infrastructure ...