Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local because a checkpoint file must be loaded (AV:L) with required victim interaction (UI:R); crafting the file needs no attacker privileges (PR:N), and code execution yields full C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
PyTorch Lightning through 2.6.5, fixed in commit d710d68, contains a remote code execution vulnerability in the _load_state function that imports and executes attacker-controlled module names from checkpoint _instantiator hyperparameters. Attackers can craft malicious checkpoint files that bypass weights_only=True protections to execute arbitrary code when LightningModule.load_from_checkpoint is called.
AnalysisAI
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim load an attacker-supplied checkpoint via LightningModule.load_from_checkpoint (the underlying _load_state path); specifically the malicious .ckpt must set hyper_parameters['_instantiator'] to an arbitrary importable path (the POC/test uses 'os.system'), which unpatched Lightning imports and executes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, base 8.4) correctly frames this as a local, low-complexity, unauthenticated flaw whose exploitation hinges on active user interaction - the victim must load an attacker-supplied checkpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes an attractive pretrained model checkpoint (e.g., on a model-sharing hub or shared drive) whose hyper_parameters include _instantiator set to a dangerous import path such as os.system. When a data scientist runs LightningModule.load_from_checkpoint on the file - even with weights_only=True - Lightning imports and executes that path, running arbitrary code with the victim's privileges. … |
| Remediation | Upgrade to a PyTorch Lightning build containing fix commit d710d689510d50e800f53b3cd773cbca20b1f86f (PR #21832), which restricts the checkpoint _instantiator hyperparameter to an allowlist (_ALLOWED_INSTANTIATORS = lightning.pytorch.cli.instantiate_module and pytorch_lightning.cli.instantiate_module) and raises a ValueError on any other path; the upstream fix is confirmed, but a specific tagged/PyPI release version is not stated in the provided data, so verify the fixed version against the vendor advisory (https://www.vulncheck.com/advisories/pytorch-lightning-arbitrary-code-execution-via-instantiator-hyperparameter) before pinning. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running PyTorch Lightning and determine current versions in use across development, testing, and production environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44751
GHSA-qqmf-gpg7-g8gw