Cyber Posture

CVE-2025-30405

Critical

Published: 07 August 2025

Published
07 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30405 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Facebook (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 47.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely remediation of the integer overflow flaw in ExecuTorch by updating to the fixed commit, preventing exploitation via malicious models.

SI-16 Memory Protection good match
prevent

Implements memory protections like address space layout randomization and data execution prevention to block code execution from out-of-bounds memory writes caused by the integer overflow.

SI-10 Information Input Validation partial match
prevent

Enforces validation of ExecuTorch model inputs to detect and reject malformed data that could trigger the integer overflow during loading.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Integer overflow during ExecuTorch model loading directly enables remote arbitrary code execution via a malicious model file (client-side exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 0830af8207240df8d7f35b984cdf8bc35d74fa73.

Deeper analysisAI

CVE-2025-30405 is an integer overflow vulnerability (CWE-190) in the loading process of ExecuTorch models. This issue can cause objects to be placed outside their allocated memory areas, potentially resulting in code execution or other undesirable effects. The vulnerability affects ExecuTorch prior to commit 0830af8207240df8d7f35b984cdf8bc35d74fa73.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the flaw is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required. Exploitation involves providing a malicious ExecuTorch model, which could lead to arbitrary code execution and high impacts on confidentiality, integrity, and availability.

Mitigation is addressed by updating to ExecuTorch commit 0830af8207240df8d7f35b984cdf8bc35d74fa73 or later, as provided in the GitHub patch commit. Further details are available in the Meta security advisory.

ExecuTorch, part of the PyTorch ecosystem, enables runtime execution of machine learning models on edge devices, highlighting the vulnerability's relevance to AI/ML deployments in resource-constrained environments.

Details

CWE(s)
CWE-190

Affected Products

Facebook
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-47392Shared CWE-190
CVE-2026-40962Shared CWE-190
CVE-2026-5732Shared CWE-190
CVE-2025-21338Shared CWE-190
CVE-2025-21244Shared CWE-190
CVE-2026-21321Shared CWE-190
CVE-2025-52581Shared CWE-190
CVE-2026-24875Shared CWE-190
CVE-2026-40250Shared CWE-190
CVE-2026-40244Shared CWE-190

References