Skip to main content

ml-engineering EUVDEUVD-2026-29498

| CVE-2026-31214 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-12 mitre GHSA-qw5f-8jqw-9832
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:54 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
9.8 (None) 9.8 (CRITICAL)
CVE Published
May 12, 2026 - 00:00 nvd
CRITICAL 9.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.

AnalysisAI

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.

Technical ContextAI

This vulnerability exploits Python's pickle module, used by PyTorch's torch.load() function for serializing model checkpoints. Pickle can deserialize arbitrary Python objects, including those with __reduce__ methods that execute code during unpickling. The torch-checkpoint-shrink.py script at line 57 (commit 0099885db36a8f06556efe1faf552518852cb1e0) calls torch.load() without the weights_only=True parameter introduced in PyTorch 1.13+ to prevent arbitrary code execution. CWE-502 (Deserialization of Untrusted Data) occurs when applications deserialize data from untrusted sources without validation. In machine learning workflows, checkpoint files are often shared via repositories, cloud storage, or model hubs, creating multiple attack vectors. The CPE data is generic (n/a), indicating the vulnerability affects the ml-engineering GitHub repository scripts rather than a formally packaged product. The attack requires only that a victim process a malicious .pt file through this script, with no authentication barriers for file sourcing.

RemediationAI

Update the torch-checkpoint-shrink.py script by adding weights_only=True parameter to all torch.load() calls, specifically at line 57 where the vulnerability exists. Modify the code from torch.load(file_path) to torch.load(file_path, weights_only=True) to restrict deserialization to tensor data only. No formal patched release version exists as this is a script repository-users must manually apply the fix by editing their local copy or pulling updated commits if the maintainer has released a fix. As an immediate compensating control, implement input validation to process checkpoint files only from trusted, cryptographically verified sources such as signed model registries. Deploy the script in sandboxed execution environments (containers with no network access, restricted filesystem permissions, non-privileged user accounts) to limit blast radius of successful exploitation-note this reduces but does not eliminate risk as code execution still occurs within the sandbox context. For production ML pipelines, implement checkpoint integrity verification using cryptographic signatures before processing, and maintain an allowlist of approved checkpoint sources. Audit all PyTorch-using scripts for similar torch.load() calls without weights_only=True. Trade-off: weights_only=True may break compatibility with checkpoints containing custom objects or optimizer states-test thoroughly in development before production deployment.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

CVE-2023-39913 HIGH
8.8 Nov 08

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK

Share

EUVD-2026-29498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy