How to fix EUVD-2025-21177?

Within 24 hours: Inventory all systems running ExecuTorch and identify critical deployments; notify relevant teams and document current versions. Within 7 days: Implement network segmentation to restrict ExecuTorch process access and disable ExecuTorch features if non-essential; establish monitoring for abnormal process behavior and crashes. Within 30 days: Subscribe to ExecuTorch security advisories for patch availability; develop a deployment plan for rapid patching once available; conduct risk assessment to determine if alternative ML runtime solutions should be evaluated.

EUVD-2025-21177

| CVE-2025-30402 HIGH

2025-07-11 [email protected]

GHSA-h952-963h-rv99

RCE

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 08:18 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 08:18 euvd

EUVD-2025-21177

CVE Published

Jul 11, 2025 - 18:15 nvd

HIGH 8.1

DescriptionNVD

A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f

AnalysisAI

CVE-2025-30402 is a heap buffer overflow vulnerability in ExecuTorch's method loading mechanism that can cause runtime crashes and potentially enable arbitrary code execution. The vulnerability affects ExecuTorch versions prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f and requires user interaction (UI required per CVSS vector). With a CVSS score of 8.1 and remote attack vector, this represents a significant risk to applications embedding ExecuTorch, particularly those processing untrusted model files or executing remote inference requests.

Technical ContextAI

ExecuTorch is Meta's lightweight machine learning inference runtime designed for edge devices and embedded systems. The vulnerability exists in the module/method loading subsystem, specifically where ExecuTorch deserializes or parses executable methods during runtime initialization. The heap buffer overflow (CWE-122 class vulnerability, though not explicitly stated) occurs when the loader fails to properly validate buffer boundaries during method instantiation, allowing attacker-controlled data to overflow heap memory structures. This is a classic memory safety issue common in C/C++ runtimes processing untrusted serialized data formats (likely model files in ExecuTorch's proprietary or standard formats). The vulnerability is triggered during the loading phase before method execution, making it relevant to any deployment scenario where ExecuTorch processes external model files.

RemediationAI

Immediate remediation: (1) Update ExecuTorch to a version at or after commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f (check Meta's ExecuTorch repository for formal release tags corresponding to this commit). (2) Apply the specific patch from the upstream commit if manual patching is necessary. Short-term mitigations pending patching: (A) Restrict model loading to only trusted, internally-controlled model files; disable loading of externally-sourced or user-provided models. (B) Implement sandboxing or containerization to limit crash blast radius. (C) Monitor for unexpected process terminations or heap corruption errors in ExecuTorch runtime logs. Long-term: enable address sanitizer (ASAN) or memory tagging extensions (MTE) in development/staging to detect similar buffer overflows early. Verify patch is applied before re-enabling untrusted model loading.

EUVD-2025-21177 vulnerability details – vuln.today

Back

EUVD-2025-21177

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code