Cyber Resilience

CVE-2025-54952

Critical

Published: 08 August 2025

Published
08 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0110 78.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54952 is a critical-severity Integer Overflow to Buffer Overflow (CWE-680) vulnerability in Facebook (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

An integer overflow vulnerability exists in the model loading process of ExecuTorch, where malformed inputs can trigger allocation of smaller-than-expected memory regions. The flaw is tracked as CWE-680 and affects all versions prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b. It carries a CVSS 3.1 score of 9.8, reflecting its potential for severe impact during deserialization of untrusted model files.

Remote attackers can exploit the issue over the network without authentication or user interaction by supplying a crafted ExecuTorch model. Successful exploitation may result in arbitrary code execution, memory corruption, or other unintended behavior within the loading context.

The referenced GitHub commit and Meta security advisory identify the fix as an update to the affected model-loading code; practitioners should upgrade ExecuTorch to a build that includes commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b. The associated EPSS score has remained flat at 0.0110 with no observed rise after disclosure.

EU & UK References

Vulnerability details

An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Integer overflow in remote model loading directly enables unauthenticated remote code execution (T1190 for public-facing ExecuTorch instances; T1203 for client/edge model execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8376Shared CWE-680
CVE-2025-32468Shared CWE-680
CVE-2025-53510Shared CWE-680
CVE-2026-25541Shared CWE-680
CVE-2025-52930Shared CWE-680
CVE-2025-46407Shared CWE-680
CVE-2025-52456Shared CWE-680
CVE-2024-56451Shared CWE-680
CVE-2024-57956Shared CWE-680

Affected Assets

Facebook
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the integer overflow vulnerability in ExecuTorch by applying the vendor-provided patch prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b.

prevent

Mandates validation of ExecuTorch model inputs during loading to detect and reject malformed data that could trigger the integer overflow leading to under-allocation.

prevent

Implements memory protection mechanisms such as address space layout randomization or guard pages to mitigate exploitation of code execution from the under-allocated memory regions.

References