EUVD-2026-37137Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Upgraded C from N to L because CWE-125 OOB reads in C/C++ can expose adjacent memory, conflicting with the 'Information Disclosure' tag; all other metrics align with the official vector.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing. The pickle .ckpt parser in src/model.cpp did not consistently check that enough input remained before reading opcode arguments or advancing the parser buffer with a crafted or truncated .ckpt file. Throughout the pickle parser, opcode handlers advanced the parser position with expressions such as buffer += N without first checking that buffer + N <= buffer_end. A truncated file could therefore cause reads past the end of the metadata buffer. LibFuzzer found crashes in under one second using malformed checkpoint inputs. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. This issue has been fixed in version master-584-0a7ae07. If developers are unable to immediately update their applications, they can work around this issue by ensuring they do not load .ckpt checkpoint files from untrusted sources. They should prefer trusted model sources and safer formats such as .safetensors where possible.
AnalysisAI
Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) allow a crafted or truncated .ckpt file to crash the loading application or leak process memory contents. The pickle opcode handlers in src/model.cpp advanced the buffer pointer without verifying remaining bytes before each read, meaning any application using this library to load untrusted .ckpt model files is exposed to denial-of-service and potential memory disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim application to load a .ckpt format PyTorch checkpoint file originating from an untrusted source - the vulnerability is not triggered by .safetensors, GGUF, or other non-pickle model formats. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 (Medium) reflects a local attack vector requiring user interaction - an attacker cannot exploit this without the victim first loading a crafted .ckpt file, making automated mass exploitation unlikely. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a maliciously crafted or deliberately truncated .ckpt model file on a popular model-sharing platform such as Hugging Face or CivitAI. A developer or end-user downloads and loads the file into an application built on an unpatched version of stable-diffusion.cpp, triggering the out-of-bounds read in the pickle opcode parser, which causes an application crash or, depending on runtime memory layout, leaks adjacent heap contents. … |
| Remediation | Upstream fix available (commit 0a7ae07f948eff4611968a65a22bd7c7031ad74f); a formally tagged released version is not independently confirmed beyond the master-584-0a7ae07 identifier. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely a
Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user
Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch
Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary P
Share
External POC / Exploit Code
Leaving vuln.today