EUVD-2026-37138Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitation needs the user to open a malicious local .ckpt (AV:L, UI:R) with no auth (PR:N); heap-overflow primitive plausibly yields full C/I/A impact in-process.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the SHORT_BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. A malicious checkpoint file could cause heap corruption through memcpy with an attacker-controlled length. This may lead to process crash and could potentially be leveraged for code execution depending on heap layout. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by not loading .ckpt checkpoint files from untrusted sources, and referring to trusted model sources and safer formats such as .safetensors where possible.
AnalysisAI
Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim application to call the ckpt loader path on an attacker-supplied PyTorch .ckpt (pickle) checkpoint file - concretely, code reaching ModelLoader::init_from_ckpt_file / read_ckpt_file in src/model.cpp on a file whose pickle stream contains a crafted SHORT_BINUNICODE opcode with a length byte >= 0x80. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H scores 7.8 (High) and accurately reflects a local-file-driven memory corruption: exploitation requires the user to load an attacker-supplied .ckpt file (UI:R), but needs no prior authentication or privileges on the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a malicious 'fine-tuned' diffusion checkpoint to a public model-sharing site with attractive metadata; a developer or end user of a stable-diffusion.cpp-based tool downloads it and invokes the application's standard model-load flow on the .ckpt. While parsing the embedded pickle stream, the SHORT_BINUNICODE handler interprets a crafted 0x80+ length byte as a large negative signed value and calls memcpy with an enormous size, corrupting adjacent heap structures and either crashing the process or, with careful heap grooming, hijacking control flow to run the attacker's code with the user's privileges. |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - update to master-584-0a7ae07 or later by pulling commit 0a7ae07 (https://github.com/leejet/stable-diffusion.cpp/commit/0a7ae07f948eff4611968a65a22bd7c7031ad74f, merged via https://github.com/leejet/stable-diffusion.cpp/pull/1443) and rebuilding any application that vendors the library. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all stable-diffusion.cpp deployments using versions prior to master-584-0a7ae07 and document which load external .ckpt files. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely a
Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch
Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary P
Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) al
Share
External POC / Exploit Code
Leaving vuln.today