Description
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing. The pickle .ckpt parser in src/model.cpp did not consistently check that enough input remained before reading opcode arguments or advancing the parser buffer with a crafted or truncated .ckpt file. Throughout the pickle parser, opcode handlers advanced the parser position with expressions such as buffer += N without first checking that buffer + N <= buffer_end. A truncated file could therefore cause reads past the end of the metadata buffer. LibFuzzer found crashes in under one second using malformed checkpoint inputs. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. This issue has been fixed in version master-584-0a7ae07. If developers are unable to immediately update their applications, they can work around this issue by ensuring they do not load .ckpt checkpoint files from untrusted sources. They should prefer trusted model sources and safer formats such as .safetensors where possible.
Published: 2026-06-16
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read flaw exists in the PyTorch checkpoint pickle parser of stable‑diffusion.cpp. The parser does not verify that sufficient data remains before advancing the parsing buffer, so a crafted or truncated .ckpt file can cause the library to read beyond the end of the metadata buffer. The resulting leak can expose internal memory contents and may also trigger a crash, producing a denial of service. The vulnerability is identified as CWE-125.

Affected Systems

Developers and operators integrating stable‑diffusion.cpp releases prior to master‑584‑0a7ae07 are affected if their applications load .ckpt files from untrusted sources such as model sharing sites. Any process that accepts external checkpoint files with this library is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 places the issue in the moderate range, and the EPSS score of less than 1% indicates a very low exploit probability. The flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is delivery of a malicious or truncated .ckpt file that is read during model loading. An attacker can supply such a file from a public model marketplace or by tampering with a legitimate download. Once parsed, the out‑of‑bounds read may leak sensitive data or crash the process.

Generated by OpenCVE AI on June 17, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade stable‑diffusion.cpp to master‑584‑0a7ae07 or a later fixed release.
  • Avoid loading .ckpt checkpoint files from untrusted sources; instead, obtain models from trusted repositories or convert models to the safer .safetensors format.
  • Implement sandboxing or apply runtime input validation to ensure that checkpoint files do not contain malformed or excessively long opcodes before they are processed.

Generated by OpenCVE AI on June 17, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Leejet
Leejet stable-diffusion.cpp
Vendors & Products Leejet
Leejet stable-diffusion.cpp

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing. The pickle .ckpt parser in src/model.cpp did not consistently check that enough input remained before reading opcode arguments or advancing the parser buffer with a crafted or truncated .ckpt file. Throughout the pickle parser, opcode handlers advanced the parser position with expressions such as buffer += N without first checking that buffer + N <= buffer_end. A truncated file could therefore cause reads past the end of the metadata buffer. LibFuzzer found crashes in under one second using malformed checkpoint inputs. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. This issue has been fixed in version master-584-0a7ae07. If developers are unable to immediately update their applications, they can work around this issue by ensuring they do not load .ckpt checkpoint files from untrusted sources. They should prefer trusted model sources and safer formats such as .safetensors where possible.
Title stable-diffusion.cpp: Out-of-bounds reads in PyTorch checkpoint pickle opcode parsing
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}


Subscriptions

Leejet Stable-diffusion.cpp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T18:42:49.132Z

Reserved: 2026-05-19T22:16:39.504Z

Link: CVE-2026-47748

cve-icon Vulnrichment

Updated: 2026-06-16T18:41:31.496Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:16:55.720

Modified: 2026-06-16T20:44:11.730

Link: CVE-2026-47748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:11Z

Weaknesses