Stable Diffusion Cpp
Monthly
Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely achieve code execution when a victim loads a maliciously crafted checkpoint file. The flaw stems from sign confusion in the BINUNICODE opcode length field, causing memcpy to be called with an attacker-controlled, effectively gigantic size derived from a negative signed integer. No public exploit identified at time of analysis, and the issue is fixed in master-584-0a7ae07.
Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user or host application loads a maliciously crafted checkpoint file. The flaw resides in the GLOBAL opcode handler within src/model.cpp, where missing newline validation lets a -1 length value drive a heap memory copy, corrupting the heap of the diffusion inference process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the attack surface (community model-sharing sites) makes weaponization plausible.
Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. No public exploit identified at time of analysis, but the upstream fix is committed and the attack surface (untrusted model files from sharing sites) is realistic for AI/ML workloads.
Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) allow a crafted or truncated .ckpt file to crash the loading application or leak process memory contents. The pickle opcode handlers in src/model.cpp advanced the buffer pointer without verifying remaining bytes before each read, meaning any application using this library to load untrusted .ckpt model files is exposed to denial-of-service and potential memory disclosure. No public exploit has been identified at time of analysis, though LibFuzzer triggered crashing inputs in under one second, indicating an extremely low barrier for generating working crash payloads.
Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely achieve code execution when a victim loads a maliciously crafted checkpoint file. The flaw stems from sign confusion in the BINUNICODE opcode length field, causing memcpy to be called with an attacker-controlled, effectively gigantic size derived from a negative signed integer. No public exploit identified at time of analysis, and the issue is fixed in master-584-0a7ae07.
Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user or host application loads a maliciously crafted checkpoint file. The flaw resides in the GLOBAL opcode handler within src/model.cpp, where missing newline validation lets a -1 length value drive a heap memory copy, corrupting the heap of the diffusion inference process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the attack surface (community model-sharing sites) makes weaponization plausible.
Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. No public exploit identified at time of analysis, but the upstream fix is committed and the attack surface (untrusted model files from sharing sites) is realistic for AI/ML workloads.
Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) allow a crafted or truncated .ckpt file to crash the loading application or leak process memory contents. The pickle opcode handlers in src/model.cpp advanced the buffer pointer without verifying remaining bytes before each read, meaning any application using this library to load untrusted .ckpt model files is exposed to denial-of-service and potential memory disclosure. No public exploit has been identified at time of analysis, though LibFuzzer triggered crashing inputs in under one second, indicating an extremely low barrier for generating working crash payloads.