DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24747: Heavy Weights: Crushing PyTorch's 'Secure' Loader via Heap Corruption

#security #cve #cybersecurity

Heavy Weights: Crushing PyTorch's 'Secure' Loader via Heap Corruption

Vulnerability ID: CVE-2026-24747
CVSS Score: 8.8
Published: 2026-01-27

A critical heap corruption vulnerability in PyTorch's restricted unpickler allows attackers to bypass the weights_only=True security flag, turning safe model loading into arbitrary code execution.

TL;DR

The weights_only=True flag in PyTorch was supposed to be the silver bullet against Pickle RCE. However, a logic flaw in the underlying C++ unpickler allows attackers to use the SETITEM opcode on non-container objects. This causes Type Confusion on the heap, allowing a malicious model file to corrupt memory and execute arbitrary code, even when the user explicitly requests 'safe' loading.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-843 (Type Confusion)
  • Attack Vector: Network / File (Context Dependent)
  • CVSS: 8.8 (Critical)
  • Impact: Remote Code Execution (RCE)
  • Trigger: Opcode 'SETITEM' on non-container
  • Component: torch/csrc/jit/serialization/unpickler.cpp

Affected Systems

  • PyTorch < 2.10.0
  • Systems loading untrusted .pt/.pth files
  • Model training pipelines using SWALR
  • PyTorch: < 2.10.0 (Fixed in: 2.10.0)

Code Analysis

Commit: 954dc51

Fix SWALR serialization to prevent anneal_func pickling

@@ -1,5 +1,9 @@
-        return {key: value for key, value in self.__dict__.items()}
+        state = self.__dict__.copy()
+        state.pop('anneal_func', None)
+        state['_anneal_strategy'] = self._anneal_strategy
+        return state
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Issue: Initial report identifying the crash and opcode failure in SWALR serialization.

Mitigation Strategies

  • Enforce strict type validation in C++ unpickler opcodes
  • Sanitize SWALR and other scheduler serializations
  • Migrate to SafeTensors format where possible

Remediation Steps:

  1. Upgrade PyTorch to version 2.10.0 or later immediately.
  2. Regenerate any checkpoints created with the vulnerable SWALR implementation.
  3. Audit codebases for torch.load calls and ensure they handle exceptions gracefully.

References

Read the full report for CVE-2026-24747 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)