CVE-2026-24747
published 2026-01-27CVE-2026-24747: PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker…
PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.69%
48.3th percentile
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pytorch | — | — |
| linuxfoundation | pytorch | < 2.10.0 | 2.10.0 |
| linuxfoundation | pytorch | >= 0 < 2.10.0 | 2.10.0 |
| pytorch | pytorch | < 2.10.0 | 2.10.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
vendor_redhat·2026-01-27·CVSS 8.8
CVE-2026-24747 [HIGH] CWE-502 pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
A flaw was found in PyTorch, a Python package for tensor computation. A remote attacker could craft a malicious checkpoint file, which, when loaded using the `weights_only` unpickler, could lead to memory corruption. This vulnerability may enable an attacker to achieve arbitrary code execution on the affected system.
Package: rhoai/odh-codeflare-
Debian
CVE-2026-24747: pytorch - PyTorch is a Python package that provides tensor computation. Prior to version 2...
vendor_debian·2026·CVSS 8.8
CVE-2026-24747 [HIGH] CVE-2026-24747: pytorch - PyTorch is a Python package that provides tensor computation. Prior to version 2...
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
VulDB
PyTorch up to 2.9.x Checkpoint File deserialization (ID 163105 / Nessus ID 297037)
vuldb·2026-07-01·CVSS 8.8
CVE-2026-24747 [HIGH] PyTorch up to 2.9.x Checkpoint File deserialization (ID 163105 / Nessus ID 297037)
A vulnerability identified as critical has been detected in PyTorch up to 2.9.x. Affected by this issue is some unknown functionality of the component Checkpoint File Handler. This manipulation causes deserialization.
This vulnerability is registered as CVE-2026-24747. Remote exploitation of the attack is possible. No exploit is available.
You should upgrade the affected component.
OSV
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
osv·2026-01-27
CVE-2026-24747 [HIGH] PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
### Summary
A vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution.
### Vulnerability Details
The `weights_only=True` unpickler failed to properly validate pickle opcodes and storage metadata, allowing:
1. **Heap memory corruption** via `SETITEM`/`SETITEMS` opcodes applied to non-dictionary types
2. **Storage size mismatch** between declared element count and actual data in the archive
### Impact
An attacker who can convince a user to load a malicious checkpoint file may achieve arbitrary code execution in the context o
OSV
CVE-2026-24747: PyTorch is a Python package that provides tensor computation
osv·2026-01-27·CVSS 8.8
CVE-2026-24747 [HIGH] CVE-2026-24747: PyTorch is a Python package that provides tensor computation
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
GHSA
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
ghsa·2026-01-27
CVE-2026-24747 [HIGH] CWE-502 PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
### Summary
A vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution.
### Vulnerability Details
The `weights_only=True` unpickler failed to properly validate pickle opcodes and storage metadata, allowing:
1. **Heap memory corruption** via `SETITEM`/`SETITEMS` opcodes applied to non-dictionary types
2. **Storage size mismatch** between declared element count and actual data in the archive
### Impact
An attacker who can convince a user to load a malicious checkpoint file may achieve arbitrary code execution in the context o
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-24747 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-24747 [HIGH] CVE-2026-24747 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24747 :
CBL Mariner vulnerability analysis and mitigation
weights_only
.pth
torch.load(..., weights_only=True)
Source : NVD
## 8.8
Score
Published January 27, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
CBL Mariner
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pytorch
Sources
NVD
CBL-Mariner 2.0 Severity HIGH Has Fix Added at: Feb 15, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Feb 04, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Jan 28, 2026
Debian 14 Severity HIGH No Fix Added at: Jan 28, 2026
Echo Severity HIGH No Fix Added at: Jan 28, 2026
pi
Bugzilla
CVE-2026-24747 cpuinfo: PyTorch: Arbitrary code execution via malicious checkpoint file loading [epel-10]
bugzilla·2026-04-28·CVSS 8.8
CVE-2026-24747 [HIGH] CVE-2026-24747 cpuinfo: PyTorch: Arbitrary code execution via malicious checkpoint file loading [epel-10]
CVE-2026-24747 cpuinfo: PyTorch: Arbitrary code execution via malicious checkpoint file loading [epel-10]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-24747 python-torch: PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files [fedora-42]
bugzilla·2026-01-28·CVSS 9.3
CVE-2026-24747 [CRITICAL] CVE-2026-24747 python-torch: PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files [fedora-42]
CVE-2026-24747 python-torch: PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This is sadly distinct from CVE-2025-32434. Moreover, any vulns in weights_only=True are real security issues for our users - it's supposed to be a safe function.
---
Unfortunately, both the commit and bug number provided in the NVD for this vuln seem unrelated.
Luckily, I was able to find the patch:
https://github.com/pytorch/pytorch/commit/0e2459f08fc5329979e6ad986014278f2a87618c
---
This message is a reminder that Fedora Linux 42 is
Bugzilla
CVE-2026-24747 pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
bugzilla·2026-01-27·CVSS 9.3
CVE-2026-24747 [CRITICAL] CVE-2026-24747 pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
CVE-2026-24747 pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
Discussion:
The CVE listing seems to have a patch attached, but I honestly can't tell if it fixes the CVE or not; it seems unrelated.
---
This is sadly distinct from CVE-2025-32434. Moreover, any vulns in weights_only=True are real security issues for our users - it's supposed to be a safe function.
---
This appears to hit F42
https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139https://github.com/pytorch/pytorch/issues/163105https://github.com/pytorch/pytorch/releases/tag/v2.10.0https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3phttps://access.redhat.com/errata/RHSA-2026:24977https://access.redhat.com/security/cve/CVE-2026-24747https://bugzilla.redhat.com/show_bug.cgi?id=2433612https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24747.json
2026-01-27
Published