Cyber Resilience

CVE-2026-24747

HighPublic PoCRCEUpdated

Published: 27 January 2026

Published
27 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0063 45.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24747 is a high-severity Code Injection (CWE-94) vulnerability in Linuxfoundation Pytorch. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24747 affects PyTorch, a Python package for tensor computation, in versions prior to 2.10.0. The vulnerability lies in the `weights_only` unpickler, enabling an attacker to craft a malicious checkpoint file (.pth) that corrupts memory when loaded via `torch.load(..., weights_only=True)`. This flaw maps to CWE-94 (Code Injection) and CWE-502 (Deserialization of Untrusted Data), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires an attacker to deliver a specially crafted .pth file to a victim, who must then load it using the vulnerable `torch.load` call with `weights_only=True`, involving user interaction. No privileges are needed (PR:N), and attacks can originate over the network (AV:N) with low complexity (AC:L). Successful exploitation corrupts memory and can lead to arbitrary code execution, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

PyTorch version 2.10.0 resolves the issue. Mitigation involves updating to this version or later. Official resources include the security advisory (GHSA-63cw-57p8-fm3p), the fixing commit (954dc5183ee9205cbe79876ad05dd2d9ae752139), the issue discussion (issues/163105), and release notes for v2.10.0.

PyTorch's role in machine learning makes this vulnerability pertinent to AI/ML workflows, where checkpoint files are commonly shared and loaded with `weights_only=True` for safer deserialization.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially…

more

lead to arbitrary code execution. Version 2.10.0 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: pytorch

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Vulnerability enables arbitrary code execution via deserialization of a malicious .pth checkpoint file loaded by the victim (T1204.002 Malicious File); execution occurs through the Python interpreter in PyTorch (T1059.006 Python).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2148Same product: Linuxfoundation Pytorch
CVE-2026-35171Same vendor: Linuxfoundation
CVE-2026-25153Same vendor: Linuxfoundation
CVE-2026-31249Shared CWE-502
CVE-2026-31253Shared CWE-502, CWE-94
CVE-2026-31214Shared CWE-502
CVE-2025-51480Same vendor: Linuxfoundation
CVE-2026-32613Same vendor: Linuxfoundation
CVE-2026-31221Shared CWE-502
CVE-2026-33701Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
pytorch
≤ 2.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of PyTorch to version 2.10.0 or later, directly eliminating the vulnerable weights_only unpickler.

detect

Vulnerability monitoring and scanning identifies systems with vulnerable PyTorch versions affected by this deserialization flaw.

prevent

Memory protection mechanisms mitigate memory corruption from malicious checkpoint deserialization, hindering arbitrary code execution.

References