Critical PyTorch Vulnerability (CVE-2026-24747) Enables Arbitrary Code Execution via Malicious Model Files
A severe vulnerability in PyTorch’s checkpoint loading mechanism has been disclosed, allowing attackers to execute arbitrary code through specially crafted model files. Tracked as CVE-2026-24747 with a CVSS score of 9.8, the flaw affects PyTorch versions 2.9.1 and earlier and poses a high risk to confidentiality, integrity, and availability.
The issue lies in PyTorch’s weights_only unpickler, which was designed to safely load model checkpoints by restricting pickle operations. However, inadequate validation of pickle opcodes and storage metadata enables attackers to bypass these protections. By embedding malicious payloads in checkpoint files (.pth), adversaries can trigger memory corruption exploiting SETITEM/SETITEMS opcodes on non-dictionary types or manipulating storage element counts to write beyond intended memory boundaries. When a victim loads a compromised file using torch.load() with weights_only=True, the attack executes with the user’s privileges, granting full control over the host system.
Exploitation requires user interaction (loading the file) but no privilege escalation, and the attack vector is classified as network-based with low complexity, making it accessible via distributed malicious models or compromised repositories. PyTorch has patched the vulnerability in version 2.10.0, which enforces stricter validation of pickle operations and metadata. Organizations are advised to upgrade immediately, as no workarounds exist beyond avoiding untrusted checkpoint files.
The flaw underscores the risks of unpickling unvalidated model files in machine learning workflows, particularly in production environments. Security teams should audit PyTorch deployments, verify model file integrity, and implement network-level controls to mitigate exposure.
PyTorch cybersecurity rating report: https://www.rankiteo.com/company/pytorch
"id": "PYT1769705276",
"linkid": "pytorch",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of PyTorch versions 2.9.1 '
'and earlier',
'industry': 'Machine Learning/AI',
'name': 'PyTorch',
'type': 'Software Framework'}],
'attack_vector': 'Network-based',
'customer_advisories': 'Advisory to upgrade immediately and avoid untrusted '
'checkpoint files',
'data_breach': {'file_types_exposed': ['.pth (PyTorch checkpoint files)']},
'description': 'A severe vulnerability in PyTorch’s checkpoint loading '
'mechanism has been disclosed, allowing attackers to execute '
'arbitrary code through specially crafted model files. The '
'flaw affects PyTorch versions 2.9.1 and earlier and poses a '
'high risk to confidentiality, integrity, and availability. '
'The issue lies in PyTorch’s `weights_only` unpickler, which '
'was designed to safely load model checkpoints by restricting '
'pickle operations. However, inadequate validation of pickle '
'opcodes and storage metadata enables attackers to bypass '
'these protections. By embedding malicious payloads in '
'checkpoint files (`.pth`), adversaries can trigger memory '
'corruption exploiting SETITEM/SETITEMS opcodes on '
'non-dictionary types or manipulating storage element counts '
'to write beyond intended memory boundaries. When a victim '
'loads a compromised file using `torch.load()` with '
'`weights_only=True`, the attack executes with the user’s '
'privileges, granting full control over the host system.',
'impact': {'brand_reputation_impact': 'High risk to confidentiality, '
'integrity, and availability',
'operational_impact': 'Arbitrary code execution with user '
'privileges, full system control',
'systems_affected': 'Host systems running PyTorch versions 2.9.1 '
'and earlier'},
'lessons_learned': 'The flaw underscores the risks of unpickling unvalidated '
'model files in machine learning workflows, particularly '
'in production environments.',
'post_incident_analysis': {'corrective_actions': 'Stricter validation of '
'pickle operations and '
'metadata in PyTorch 2.10.0',
'root_causes': 'Inadequate validation of pickle '
'opcodes and storage metadata in '
'PyTorch’s `weights_only` '
'unpickler'},
'recommendations': ['Upgrade to PyTorch version 2.10.0 immediately',
'Avoid loading untrusted checkpoint files',
'Audit PyTorch deployments',
'Verify model file integrity',
'Implement network-level controls to mitigate exposure'],
'references': [{'source': 'CVE-2026-24747'}],
'response': {'communication_strategy': 'Advisory to upgrade immediately and '
'avoid untrusted checkpoint files',
'containment_measures': 'Upgrade to PyTorch version 2.10.0',
'enhanced_monitoring': 'Audit PyTorch deployments and verify '
'model file integrity',
'remediation_measures': 'Stricter validation of pickle '
'operations and metadata in PyTorch '
'2.10.0'},
'title': 'Critical PyTorch Vulnerability (CVE-2026-24747) Enables Arbitrary '
'Code Execution via Malicious Model Files',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-24747'}