Description
picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and execute arbitrary code when loaded via pickle.load().
Published: 2026-06-23
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in picklescan allows attackers to embed torch.jit.unsupported_tensor_ops.execWrapper calls within a pickle file. When a victim loads such a file using pickle.load(), the op executes arbitrary code in the context of the process. This flaw directly compromises the confidentiality, integrity, and availability of the affected system, enabling full remote code execution on the target machine.

Affected Systems

The vulnerability affects all installations of the picklescan tool before version 0.0.28. No specific sub‑versions are listed; any build of picklescan lower than 0.0.28 inherits the flaw.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity. While the EPSS score is not available, the lack of listing in the CISA KEV catalog does not diminish the risk; the flaw can be exploited by crafting a malicious pickle and supplying it to any process that uses picklescan to load it. Attackers do not require special privileges to initiate the exploit; merely delivering a well‑formed pickle payload is sufficient. The attack vector is inferred to be local or remote depending on how the victim loads the pickle data, but the lack of required network permissions suggests that local compromise can further leverage the vulnerability for broader impact.

Generated by OpenCVE AI on June 23, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picklescan to version 0.0.28 or later to receive the security fix
  • Avoid using pickle.load() on data from untrusted sources; switch to safer serialization mechanisms such as JSON or Protocol Buffers
  • If an immediate upgrade is not possible, mitigate by disabling torch.jit.unsupported_tensor_ops.execWrapper during pickle deserialization or implement a custom whitelist that explicitly blocks this operation
  • Enforce strict input validation and review the code path that processes pickle content to ensure no execWrapper calls are executed

Generated by OpenCVE AI on June 23, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and execute arbitrary code when loaded via pickle.load().
Title picklescan - Remote Code Execution via torch.jit.unsupported_tensor_ops.execWrapper
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-502
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mmaitre314 Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:37:33.911Z

Reserved: 2026-06-20T13:01:42.505Z

Link: CVE-2025-71370

cve-icon Vulnrichment

Updated: 2026-06-23T13:37:10.491Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T15:45:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data