PyTorch code issues and vulnerabilities

PyTorch is an open-source Python package developed by PyTorch. Versions of PyTorch prior to 2.10.0 contained code-related vulnerabilities. These vulnerabilities stemmed from defects in the weightsonly deserializer, which could lead to memory corruption and arbitrary code execution...

AZL-76505 CVE-2026-0994 affecting package pytorch for versions less than 2.0.0-14

A denial-of-service DoS vulnerability exists in google.protobuf.jsonformat.ParseDict in Python, where the maxrecursiondepth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can...

AZL-76602 CVE-2026-0994 affecting package pytorch for versions less than 2.2.2-12

A denial-of-service DoS vulnerability exists in google.protobuf.jsonformat.ParseDict in Python, where the maxrecursiondepth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can...

Azure Linux 3.0 Security Update: python-tensorboard / pytorch (CVE-2021-22569)

The version of python-tensorboard / pytorch installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2021-22569 advisory. - An issue in protobuf-java allowed the interleaving of...

Azure Linux 3.0 Security Update: pytorch (CVE-2024-7776)

The version of pytorch installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-7776 advisory. - A vulnerability in the downloadmodel function of the onnx/onnx framework, before and including version 1.16....

Azure Linux 3.0 Security Update: pytorch (CVE-2024-5187)

The version of pytorch installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-5187 advisory. - A vulnerability in the downloadmodelwithtestdata function of the onnx/onnx framework, version 1.16.0, allows...

CVE-2025-3001 affecting package pytorch for versions less than 2.2.2-10

CVE-2025-3001 affecting package pytorch for versions less than 2.2.2-10. A patched version of the package is available...

CVE-2025-1944

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan...

CVE-2025-1945

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being...

Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading

Summary A critical arbitrary code execution vulnerability exists in HuggingFace Transformers' Trainer class. The loadrngstate method at src/transformers/trainer.py:3059 calls torch.load without the weightsonly=True parameter. While a safeglobals context manager wraps this call, it provides no...

BIT-PYTORCH-2025-63396

An issue was discovered in PyTorch v2.5 and v2.7.1. Omission of profiler.stop can cause torch.profiler.profile PythonTracer to crash or hang during finalization, leading to a Denial of Service DoS...

GHSA-46H3-79WF-XR6C Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter

Summary Picklescan uses operator.attrgetter, which is a built-in python library function to execute remote pickle files. Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the operator.attrgetter function in the reduce method. - Then,...

GHSA-X843-G5MX-G377 Picklescan is vulnerable to RCE through missing detection when calling built-in python operator.methodcaller

Summary Picklescan uses operator.methodcaller, which is a built-in python library function to execute remote pickle files. Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the operator.methodcaller function in method reduce. - Then,...

Picklescan missing detection when calling pty.spawn

Summary Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to pty.spawn function in the reduce method. Then the victim attempts ...

GHSA-9PF3-7RRR-X5JH lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()

Summary An insecure deserialization vulnerability exists in lmdeploy where torch.load is called without the weightsonly=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file...

lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()

Summary An insecure deserialization vulnerability exists in lmdeploy where torch.load is called without the weightsonly=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file...

PyTorch torch.lstm_cell memory corruption

...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in PyTorch [CVE-2025-3730]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in PyTorch, caused by a flaw in PyTorch 2.6.0 that affects the function torch.nn.functional.ctc CVE-2025-3730. PyTorch is used in our service runtimes. This vulnerabilitiy has been addressed...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in PyTorch [CVE-2025-2953]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in PyTorch, due to an issue found in PyTorch 2.6.0+cu124 that affects the function torch.mkldnnmaxpool2d CVE-2025-2953. PyTorch is used in our service runtimes. This vulnerabilitiy has been...

filelock has a TOCTOU race condition which allows symlink attacks during lock file creation

Impact A Time-of-Check-Time-of-Use TOCTOU race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with OTRUNC. An attack...