CVE-2026-4538 — Improper Input Validation in Pytorch

CWE-20 — Improper Input Validation CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

4.8MEDIUMNVD

EPSS

0.0%

top 95.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Pytorch

Timeline

PublishedMar 22

Description

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages1 packages

▶debiandebian/pytorch

🔴Vulnerability Details

OSV

CVE-2026-4538: A vulnerability was identified in PyTorch 2↗2026-03-22

▶

GHSA

GHSA-33x2-ppm4-v46v: A vulnerability was identified in PyTorch 2↗2026-03-22

▶

📋Vendor Advisories

Red Hat

pytorch: PyTorch: Deserialization vulnerability in pt2 Loading Handler allows local impact↗2026-03-22

▶

Debian

CVE-2026-4538: pytorch - A vulnerability was identified in PyTorch 2.10.0. The affected element is an unk...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4538 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶