2 matches found
aigco (=0.0.3), airoboros (>=2.1.6 <=2.2.1) +81 more potentially affected by CVE-2026-31253 via flash-attn (>=0.2.8 <=2.8.3)
flash-attn PYPI version =0.2.8, =2.1.6, =1.1.2, =0.0.0.dev0, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.1.3, =0.1.0, =0.0.7rc14, =0.0.1, =0.0.8 and more Source cves: CVE-2026-31253 Source advisory: OSV:GHSA-7G5W-PQ96-8C5W...
CVE-2026-31253
The CVE-2026-31253 entry concerns the flash-attention training framework. A deserialization flaw exists in the checkpoint loading path (checkpoint.py load_checkpoint and eval.py) where torch.load() is used without weights_only=True, enabling pickle-based object deserialization. This can allow an ...