Skip to main content

stable-diffusion.cpp CVE-2026-47747

| EUVD-2026-37204 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-16 GitHub_M
Checkpoint Heap Overflow Buffer Overflow Stable Diffusion Cpp
7.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Triggered by parsing a local attacker-supplied file (AV:L, UI:R), no auth to the library (PR:N), reliable sign-confusion overflow (AC:L), heap RCE gives full CIA (C/I/A:H).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 19:48 vuln.today
Analysis Generated
Jun 16, 2026 - 19:48 vuln.today

DescriptionCVE.org

stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by only loading .ckpt checkpoint files from trusted sources and preferring trusted model sources and safer formats such as .safetensors where possible.

AnalysisAI

Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely achieve code execution when a victim loads a maliciously crafted checkpoint file. The flaw stems from sign confusion in the BINUNICODE opcode length field, causing memcpy to be called with an attacker-controlled, effectively gigantic size derived from a negative signed integer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious .ckpt on model-sharing site
Delivery
Victim downloads and loads checkpoint
Exploit
Parser hits crafted BINUNICODE opcode
Execution
Sign-confused length passed to memcpy
Persist
Heap buffer overflow corrupts adjacent metadata
Impact
Attacker-controlled code execution in inference process
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to load an attacker-supplied .ckpt (pickle) checkpoint file with a vulnerable build of stable-diffusion.cpp prior to master-584-0a7ae07; the vulnerable code path is reached only when init_from_file dispatches into the legacy ckpt loader (is_ckpt_file true), so files in .safetensors or other non-pickle formats do not trigger it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H accurately characterizes this as a local, user-interaction-required file-parsing bug with full CIA impact - consistent with a memory-corruption primitive triggered when a user voluntarily loads a malicious model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a malicious .ckpt model to a public model-sharing site or sends it directly to a target (e.g., an artist, ML engineer, or an automated image-generation service that ingests user-supplied models). When the victim loads the file with a vulnerable stable-diffusion.cpp build, the crafted BINUNICODE opcode triggers a heap overflow during parsing, corrupting adjacent heap metadata and giving the attacker a primitive that can plausibly be developed into arbitrary code execution in the inference process. …
Remediation Vendor-released patch: master-584-0a7ae07 - update stable-diffusion.cpp (and rebuild any embedding application) to this revision or later, per GHSA-mghm-5mqc-pwmp and PR #1443. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit all stable-diffusion.cpp deployments and restrict loading of checkpoint files to trusted, internally-maintained sources only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47750 HIGH
7.8 Jun 16

Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user

CVE-2026-47749 HIGH
7.8 Jun 16

Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and
CVE-2026-54499 HIGH
7.5 Jun 19

Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch
CVE-2026-48775 MEDIUM
6.8 Jun 16

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary P
CVE-2026-47748 MEDIUM
5.5 Jun 16

Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) al

Share

CVE-2026-47747 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy