Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 pypi packages depend on pytorch-lightning (4 direct, 1 indirect)
Ecosystem-wide dependent count for version 2.6.0.
DescriptionCVE.org
PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.
AnalysisAI
Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.
Technical ContextAI
PyTorch Lightning is a high-level PyTorch wrapper framework for organizing machine learning research code. The vulnerability stems from insecure deserialization (CWE-502) in the checkpoint persistence mechanism. Model checkpoints in PyTorch are typically serialized using Python's Pickle module, which can execute arbitrary code during deserialization. PyTorch introduced the weights_only=True parameter in torch.load() to restrict deserialization to tensors only, preventing code execution. However, PyTorch Lightning's load_from_checkpoint() wrapper method calls torch.load() with default parameters (weights_only=False), allowing full object deserialization. This design choice prioritizes backward compatibility over security, creating a code execution vector when loading untrusted checkpoint files.
RemediationAI
Upstream fix version not independently confirmed from available data - vendors should consult the official PyTorch Lightning GitHub repository and security advisories for patch availability. Until patched versions are deployed, implement these specific mitigations: (1) Modify code to use torch.load(checkpoint_path, weights_only=True) directly instead of load_from_checkpoint(), then manually instantiate the LightningModule - this breaks compatibility with checkpoints containing custom Python objects but eliminates code execution risk; (2) Implement cryptographic signature verification for all checkpoint files using HMAC-SHA256 or digital signatures before loading, rejecting unsigned or invalid files; (3) Restrict checkpoint loading to files from trusted internal sources only, blocking external downloads via network policies; (4) Run checkpoint loading operations in isolated containers or virtual machines with no network access and minimal privileges, treating all checkpoints as untrusted until validated. Trade-offs: weights_only=True breaks legitimate use cases requiring custom callbacks or objects in checkpoints; signature verification requires key management infrastructure; container isolation adds operational complexity. Organizations sharing models publicly should publish checksums/signatures alongside checkpoint files. Monitor PyTorch Lightning release notes at https://github.com/Lightning-AI/pytorch-lightning/releases for security patches.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29505
GHSA-75m9-98v2-hjpm