Description
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the GLOBAL opcode handler. The issue was caused by missing validation when searching for newline-delimited fields. A crafted .ckpt file without the expected newline could cause the parser to use -1 as a copy length, resulting in immediate heap corruption. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by following these instructions: do not load .ckpt checkpoint files from untrusted sources, and prefer trusted model sources and safer formats such as .safetensors where possible.
Published: 2026-06-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap buffer overflow triggered by processing the GLOBAL opcode in PyTorch checkpoint (.ckpt) files in stable‑diffusion.cpp. When a crafted checkpoint file omits the expected newline delimiter, the parser interprets a negative length and overwrites heap memory. This flaw can lead to memory corruption and, in a suitable environment, arbitrary code execution or a denial of service. The weakness is a buffer overflow, corresponding to CWE‑787.

Affected Systems

Developers and users of the stable‑diffusion.cpp library before the commit master‑584‑0a7ae07 are affected. The library supports multiple diffusion models such as Stable Diffusion, Flux, Wan, Qwen Image, and Z‑Image. The vulnerability specifically impacts the checkpoint parser in src/model.cpp and applies to any application that loads .ckpt files from untrusted sources using this library.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS value of less than 1% suggests low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious .ckpt file that an application using stable‑diffusion.cpp will load, which is feasible if the model is obtained from an untrusted or compromised repository. Once the buffer overflow occurs, the attacker could potentially execute arbitrary code or crash the application.

Generated by OpenCVE AI on June 17, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade stable‑diffusion.cpp to master‑584‑0a7ae07 or later, where the GLOBAL opcode handler has input validation.
  • Verify that all .ckpt files are obtained from trusted model hubs and avoid importing checkpoints from unknown sources.
  • Prefer using safer checkpoint formats such as .safetensors, which are not affected by this overflow.
  • As an immediate safeguard, disable or sandbox any functionality that imports external .ckpt files until a patch is applied.

Generated by OpenCVE AI on June 17, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Leejet
Leejet stable-diffusion.cpp
Vendors & Products Leejet
Leejet stable-diffusion.cpp

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the GLOBAL opcode handler. The issue was caused by missing validation when searching for newline-delimited fields. A crafted .ckpt file without the expected newline could cause the parser to use -1 as a copy length, resulting in immediate heap corruption. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by following these instructions: do not load .ckpt checkpoint files from untrusted sources, and prefer trusted model sources and safer formats such as .safetensors where possible.
Title stable-diffusion.cpp: Heap buffer overflow in GLOBAL opcode parsing for PyTorch checkpoint files
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Leejet Stable-diffusion.cpp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T13:58:25.254Z

Reserved: 2026-05-19T22:16:39.504Z

Link: CVE-2026-47750

cve-icon Vulnrichment

Updated: 2026-06-17T13:58:19.877Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:44.413

Modified: 2026-06-16T20:44:11.730

Link: CVE-2026-47750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:06Z

Weaknesses