Description
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption.
The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by only loading .ckpt checkpoint files from trusted sources and preferring trusted model sources and safer formats such as .safetensors where possible.
Published: 2026-06-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a heap-based buffer overflow that occurs in the BINUNICODE opcode handler of the pickle .ckpt parser used by stable‑diffusion.cpp. The issue is caused by sign confusion on the opcode length field, which allows a crafted .ckpt file to trigger a memcpy with an excessively large length derived from a negative signed value, resulting in immediate heap corruption. Heap corruption can lead to denial of service or arbitrary code execution depending on the context of the execution and the privileges of the process handling the file. The weakness is mapped to CWE-122 and CWE-787.

Affected Systems

The affected product is stable‑diffusion.cpp, a pure C/C++ library for diffusion model inference. Versions prior to master‑584‑0a7ae07 are vulnerable. The vendor is leejet and the library is used for running models such as Stable Diffusion, Flux, Wan, Qwen Image, Z‑Image, and others.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of <1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or remote file supply: an attacker who can place a crafted .ckpt file in a location that the application loads is able to trigger the overflow. Because the vulnerability occurs in memory handling code, privilege escalation or code execution is plausible if the process runs with elevated privileges or if the overflow modifies control data.

Generated by OpenCVE AI on June 17, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade stable‑diffusion.cpp to version master‑584‑0a7ae07 or later, which contains the fix for the heap overflow.
  • If an immediate upgrade is not possible, restrict model loading to files obtained from trusted sources only and avoid untrusted .ckpt checkpoints.
  • Prefer safer model formats such as .safetensors that do not use the vulnerable pickle parser and therefore eliminate the risk of this overflow.

Generated by OpenCVE AI on June 17, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Leejet
Leejet stable-diffusion.cpp
Vendors & Products Leejet
Leejet stable-diffusion.cpp

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by only loading .ckpt checkpoint files from trusted sources and preferring trusted model sources and safer formats such as .safetensors where possible.
Title stable-diffusion.cpp has a Heap-based Buffer Overflow
Weaknesses CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Leejet Stable-diffusion.cpp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T18:12:56.949Z

Reserved: 2026-05-19T22:16:39.504Z

Link: CVE-2026-47747

cve-icon Vulnrichment

Updated: 2026-06-17T18:11:31.514Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:44.163

Modified: 2026-06-16T20:44:11.730

Link: CVE-2026-47747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:02Z

Weaknesses