Skip to main content

PyTorch Lightning EUVDEUVD-2026-29505

| CVE-2026-31221 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-12 mitre GHSA-75m9-98v2-hjpm
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 21:16 vuln.today
CVSS changed
May 14, 2026 - 19:07 NVD
7.8 (HIGH)
CVE Published
May 12, 2026 - 00:00 nvd
HIGH 7.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 pypi packages depend on pytorch-lightning (4 direct, 1 indirect)

Ecosystem-wide dependent count for version 2.6.0.

DescriptionCVE.org

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.

AnalysisAI

Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.

Technical ContextAI

PyTorch Lightning is a high-level PyTorch wrapper framework for organizing machine learning research code. The vulnerability stems from insecure deserialization (CWE-502) in the checkpoint persistence mechanism. Model checkpoints in PyTorch are typically serialized using Python's Pickle module, which can execute arbitrary code during deserialization. PyTorch introduced the weights_only=True parameter in torch.load() to restrict deserialization to tensors only, preventing code execution. However, PyTorch Lightning's load_from_checkpoint() wrapper method calls torch.load() with default parameters (weights_only=False), allowing full object deserialization. This design choice prioritizes backward compatibility over security, creating a code execution vector when loading untrusted checkpoint files.

RemediationAI

Upstream fix version not independently confirmed from available data - vendors should consult the official PyTorch Lightning GitHub repository and security advisories for patch availability. Until patched versions are deployed, implement these specific mitigations: (1) Modify code to use torch.load(checkpoint_path, weights_only=True) directly instead of load_from_checkpoint(), then manually instantiate the LightningModule - this breaks compatibility with checkpoints containing custom Python objects but eliminates code execution risk; (2) Implement cryptographic signature verification for all checkpoint files using HMAC-SHA256 or digital signatures before loading, rejecting unsigned or invalid files; (3) Restrict checkpoint loading to files from trusted internal sources only, blocking external downloads via network policies; (4) Run checkpoint loading operations in isolated containers or virtual machines with no network access and minimal privileges, treating all checkpoints as untrusted until validated. Trade-offs: weights_only=True breaks legitimate use cases requiring custom callbacks or objects in checkpoints; signature verification requires key management infrastructure; container isolation adds operational complexity. Organizations sharing models publicly should publish checksums/signatures alongside checkpoint files. Monitor PyTorch Lightning release notes at https://github.com/Lightning-AI/pytorch-lightning/releases for security patches.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

Share

EUVD-2026-29505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy