EUVD-2026-37198Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Trigger requires loading an attacker-supplied file locally (AV:L, UI:R); no auth needed (PR:N); heap OOB write in-process yields full CIA impact (C:H/I:H/A:H), no scope change.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the GLOBAL opcode handler. The issue was caused by missing validation when searching for newline-delimited fields. A crafted .ckpt file without the expected newline could cause the parser to use -1 as a copy length, resulting in immediate heap corruption. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by following these instructions: do not load .ckpt checkpoint files from untrusted sources, and prefer trusted model sources and safer formats such as .safetensors where possible.
AnalysisAI
Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user or host application loads a maliciously crafted checkpoint file. The flaw resides in the GLOBAL opcode handler within src/model.cpp, where missing newline validation lets a -1 length value drive a heap memory copy, corrupting the heap of the diffusion inference process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the target application to call stable-diffusion.cpp's legacy .ckpt loader path (is_ckpt_file → init_from_ckpt_file in src/model.cpp), (2) a victim or automated pipeline that loads a .ckpt file the attacker controls, typically downloaded from an untrusted model-sharing site, and (3) the .ckpt to contain a malformed GLOBAL opcode whose argument lacks the terminating newline, causing the parser's newline search to fail and feed -1 as a copy length. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H justifies the 7.8 base score: local attack vector with required user interaction, but full CIA impact consistent with code execution from heap corruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a poisoned .ckpt checkpoint to a public model-sharing site (HuggingFace mirror, Civitai-style hub, Discord drop) advertised as a popular fine-tune; the file omits the expected newline after a GLOBAL opcode argument. When a developer, artist, or downstream application loads the model with stable-diffusion.cpp, the parser computes a -1 length, corrupts the heap during the copy, and the attacker uses the resulting write primitive to gain code execution as the user running the inference process. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - upgrade to commit 0a7ae07f948eff4611968a65a22bd7c7031ad74f (referenced as master-584-0a7ae07) from PR https://github.com/leejet/stable-diffusion.cpp/pull/1443, which replaces the legacy ckpt loader with separate torch_legacy_io and torch_zip_io implementations. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems running stable-diffusion.cpp and disable external model downloads; restrict to internal/verified sources only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely a
Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch
Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary P
Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) al
Share
External POC / Exploit Code
Leaving vuln.today