Description
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
Published: 2026-01-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via deserialized checkpoint files
Action: Patch immediately
AI Analysis

Impact

PyTorch’s weights_only unpickler allows a maliciously crafted .pth file to corrupt memory and potentially trigger arbitrary code execution when loaded with torch.load(..., weights_only=True). The flaw is an unsafe deserialization vulnerability, as reflected by CWE-502 and an underlying limitation of the unpickling engine, CWE-94.

Affected Systems

All installations of PyTorch older than version 2.10.0 are vulnerable, including those distributed by the Linux Foundation. Users who import the PyTorch package and load checkpoint files with the weights_only=True flag are at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. Although the EPSS score is less than 1%, indicating a low current likelihood of widespread exploitation, the potential impact warrants prompt remediation. The issue is not yet listed in the CISA KEV catalog. The attack can occur when a malicious checkpoint file is supplied to the application; the most likely vector is remote input over any channel that delivers the .pth file to the target system, such as file sharing, network transfer, or artifact deployment. This inferred vector comes from the description that the file can be supplied by an attacker and the required torch.load operation.

Generated by OpenCVE AI on April 18, 2026 at 19:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PyTorch to version 2.10.0 or later, which contains the fixed unpickler implementation.
  • If an immediate upgrade is not possible, avoid loading checkpoints from untrusted sources by validating the file against a trusted hash or a whitelist before calling torch.load with weights_only=True.
  • If weights_only usage must be maintained, replace the default unpickler with a custom implementation that blocks arbitrary code execution, or ensure the checkpoint files are created and managed in a trusted environment.

Generated by OpenCVE AI on April 18, 2026 at 19:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-63cw-57p8-fm3p PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
History

Fri, 30 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation pytorch
CPEs cpe:2.3:a:linuxfoundation:pytorch:*:*:*:*:*:python:*:*
Vendors & Products Linuxfoundation
Linuxfoundation pytorch

Thu, 29 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Pytorch
Pytorch pytorch
Vendors & Products Pytorch
Pytorch pytorch

Tue, 27 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
Title PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
Weaknesses CWE-502
CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Linuxfoundation Pytorch
Pytorch Pytorch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:04:50.008Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24747

cve-icon Vulnrichment

Updated: 2026-01-28T15:14:05.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T22:15:56.470

Modified: 2026-01-30T21:51:55.367

Link: CVE-2026-24747

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-27T21:13:46Z

Links: CVE-2026-24747 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses