Description
The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model state dictionary from a state_dict.pt file via torch.load(), the function does not enable the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects through the Pickle module. A remote attacker can exploit this by providing a maliciously crafted state_dict.pt file within a directory specified via the --model argument, leading to arbitrary code execution during the deserialization process on the victim's system.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The load_model function in the neural_magic_training.py script of the optimate project contains an insecure deserialization flaw (CWE-502). When loading a model’s state dictionary from a state_dict.pt file via torch.load(), the function does not enable the weights_only=True security parameter, allowing the deserialization of arbitrary Python objects through the Pickle module. This flaw enables a malicious actor to craft a state_dict.pt file that executes arbitrary code during loading, compromising the integrity, confidentiality, and availability of the system that runs the script.

Affected Systems

The vulnerability affects the optimate project, specifically the neural_magic_training.py script in the commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21). Any deployment of optimate that loads model files via the --model argument and uses the default torch.load behavior is susceptible, regardless of the specific operating system or Python environment, because the insecure pickle deserialization is hardcoded into the script.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity of this insecure deserialization flaw, allowing attackers to execute arbitrary code when loading a malicious state_dict.pt file. The EPSS score of < 1% suggests a low probability of exploitation in the near term, and the vulnerability is not yet listed in CISA's KEV catalog. Nonetheless, the remote code execution capability warrants immediate attention. The attack vector is inferred to be remote, as the attacker must supply a malicious file within the directory specified by the --model argument, which is then processed during normal script execution.

Generated by OpenCVE AI on May 15, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a version of optimate that enforces weights_only=True in torch.load or otherwise restricts pickle deserialization
  • Validate or digitally sign all state_dict.pt files before loading to ensure they contain only expected data
  • Restrict file system permissions so that only trusted users can place files in the --model directory and consider sandboxing the script execution environment
  • If an update is not yet available, manually modify the load_model function to use weights_only=True with torch.load, ensuring only model weights are loaded, or switch to a safer deserialization method

Generated by OpenCVE AI on May 15, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nebuly-ai
Nebuly-ai optimate
Vendors & Products Nebuly-ai
Nebuly-ai optimate

Fri, 15 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in optimate's Model Loading Enables Remote Code Execution

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in optimate's Model Loading Enables Remote Code Execution
Weaknesses CWE-502

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model state dictionary from a state_dict.pt file via torch.load(), the function does not enable the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects through the Pickle module. A remote attacker can exploit this by providing a maliciously crafted state_dict.pt file within a directory specified via the --model argument, leading to arbitrary code execution during the deserialization process on the victim's system.
References

Subscriptions

Nebuly-ai Optimate
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T14:00:28.092Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31218

cve-icon Vulnrichment

Updated: 2026-05-15T14:00:17.397Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T16:16:13.710

Modified: 2026-05-15T15:16:50.730

Link: CVE-2026-31218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:29Z

Weaknesses