CVE-2026-24747
Published: 27 January 2026
Summary
CVE-2026-24747 is a high-severity Code Injection (CWE-94) vulnerability in Linuxfoundation Pytorch. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24747 affects PyTorch, a Python package for tensor computation, in versions prior to 2.10.0. The vulnerability lies in the `weights_only` unpickler, enabling an attacker to craft a malicious checkpoint file (.pth) that corrupts memory when loaded via `torch.load(..., weights_only=True)`. This flaw maps to CWE-94 (Code Injection) and CWE-502 (Deserialization of Untrusted Data), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires an attacker to deliver a specially crafted .pth file to a victim, who must then load it using the vulnerable `torch.load` call with `weights_only=True`, involving user interaction. No privileges are needed (PR:N), and attacks can originate over the network (AV:N) with low complexity (AC:L). Successful exploitation corrupts memory and can lead to arbitrary code execution, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
PyTorch version 2.10.0 resolves the issue. Mitigation involves updating to this version or later. Official resources include the security advisory (GHSA-63cw-57p8-fm3p), the fixing commit (954dc5183ee9205cbe79876ad05dd2d9ae752139), the issue discussion (issues/163105), and release notes for v2.10.0.
PyTorch's role in machine learning makes this vulnerability pertinent to AI/ML workflows, where checkpoint files are commonly shared and loaded with `weights_only=True` for safer deserialization.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4738
Vulnerability details
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially…
more
lead to arbitrary code execution. Version 2.10.0 fixes the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Deep Learning Frameworks
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: pytorch
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary code execution via deserialization of a malicious .pth checkpoint file loaded by the victim (T1204.002 Malicious File); execution occurs through the Python interpreter in PyTorch (T1059.006 Python).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching of PyTorch to version 2.10.0 or later, directly eliminating the vulnerable weights_only unpickler.
Vulnerability monitoring and scanning identifies systems with vulnerable PyTorch versions affected by this deserialization flaw.
Memory protection mechanisms mitigate memory corruption from malicious checkpoint deserialization, hindering arbitrary code execution.