CVE-2026-24747: “Trusted” PyTorch Model Files Can Trigger Memory Corruption and Lead to Remote Code Execution

Aegiron 13 mins0

CVE-2026-24747 – PyTorch Memory Corruption via Pickle Leading to Potential RCE

CVE ID: CVE-2026-24747
Severity: High
CVSS v3.1 Score: 8.8 (High)
Exploitability: Remote, low complexity
Exploit Availability: Proof-of-concept is not widely publicized, but the vulnerability is real and should be treated as exploitable in practical scenarios

Overview

This vulnerability affects the popular machine learning framework PyTorch in versions older than 2.10.0. The issue arises when a model checkpoint file (the .pth file extension) is loaded using the so-called “safe-mode” that was intended to only load weights and avoid executing arbitrary code. In practice, a maliciously crafted model file can still trigger a flaw in the internal deserialization logic, causing memory corruption.

Memory corruption in this context can be escalated by an attacker so that arbitrary code runs within the process that loaded the file. If the software loading the model is running with privileged access or on servers handling critical tasks, this can lead to full remote compromise of the host.

Simply put: a specially crafted .pth file can cause unsafe behavior in PyTorch when loaded, even with safety flags enabled.

Technical Background

PyTorch uses Python’s pickle system behind the scenes to reconstruct serialized objects from disk. Pickle is flexible but inherently unsafe when used on untrusted input; it was never designed to be hardened against hostile model artifacts.

To reduce risk, PyTorch implemented an option called weights_only=True. The idea was to load only numerical weights of models and skip risky Python object re-creation. Unfortunately, due to internal mistakes in how the unpickling logic validated / filtered out dangerous constructs, an attacker can trick the loader into interpreting malicious parts of a file. This leads to memory corruption deep within PyTorch’s C/C++ layers.

Memory corruption is a serious problem because it means the program’s own memory layout gets altered in unexpected ways. A skilled attacker can shape this memory corruption to redirect execution flow, and that’s how remote code execution (RCE) becomes possible.

Who Is at Risk

Any system or application that:

  • Uses PyTorch versions earlier than 2.10.0, and
  • Loads checkpoint/model files (.pth or similar serialized objects) using any loader path that does not explicitly guard against malicious input

This includes:

  • Public web services that allow users to upload models
  • Model repositories that automatically load client-submitted .pth files
  • CI/CD pipelines that validate or test models
  • Local workstations used for research where models may be imported from untrusted sources

Even in internal automation, if the input is later accessible to untrusted personnel or third-party data sources, this can become a vector for exploitation.

How an Attack Might Work

An attacker who wants to exploit the vulnerability in a target system would generally:

  1. Create a malicious .pth file that abuses the weaknesses in PyTorch’s unpickling logic.
  2. Convince or trick the target to load this file, such as by submitting it to a public upload endpoint, artifact repository, or shared file system.
  3. Trigger the vulnerable load function by having the victim application call torch.load() (with or without weights_only=True).
  4. Cause memory corruption deep inside PyTorch’s internals.
  5. Escalate this memory corruption into arbitrary code execution within that process.

Once arbitrary code execution happens, the attacker’s possibilities depend on what privileges the process has — ranging from extracting sensitive files to establishing a persistent foothold in the environment.

Proof of Concept and Exploit Status

At the time this explanation is written, there is no widely published zero-day exploit that you can download and run off the internet. That said, because of how pickle and model loading work, the vulnerability is real and demonstrable, and it is only a matter of time before attackers in the wild attempt to weaponize it.

Security experts often treat memory corruption vulnerabilities as high-risk even without public proof-of-concept code. This is because once attackers reverse-engineer the flaw, RCE can be achieved in many practical environments.

How to Detect Potential Exploitation

Detecting exploitation is not as simple as looking for a single error message. Memory corruption and deserialization issues typically manifest in several indirect ways:

1. Application Crashes During Model Load

If your logs show sudden crashes (segmentation faults, aborted processes, fatal Python exceptions) immediately after loading a .pth file, this could indicate someone tried to load malformed content.

Look for:

  • Sudden Python process exits without stack traces
  • Errors related to improper memory access
  • Native code stack frames in crash reports

This is often recorded in:

  • System logs (/var/log/syslog, journalctl)
  • Application logs capturing stdout/stderr
  • Crash reports in container logs

2. Unexpected Process Behavior After Loading Models

An exploited process might:

  • Spawn unexpected subprocesses
  • Access sensitive files
  • Show unusual network connections

These can be caught by:

  • Endpoint detection systems
  • Process monitoring (capture cmdline, parent/child relationships)
  • Network telemetry

3. File-Level Indicators

Since all malicious scenarios start with a malformed .pth file, you can scan incoming model files for anomalies before they hit production code:

  • Use lightweight heuristics that check for:
    • Unexpected Python pickle opcodes
    • Odd structure in the serialized data
    • Model files that are significantly different in size or structure from normal checkpoints

These heuristics aren’t perfect, but they can stop obviously bad files before they are loaded.

Detection Rules

SIEM Rule Example

Trigger an alert when:

  • A Python process opens a .pth file
  • And the next log line shows a crash or unexpected exit

This correlates file access with a crash, which often indicates exploitation attempts.

YARA-Like Heuristic for .pth Files

Although legitimate .pth files contain many pickle markers, you can still flag:

  • Unusual or excessive occurrences of risky pickle opcodes in .pth files
  • Files that break structural expectations of PyTorch checkpoints

Note: This should be used for pre-ingest scanning, not as an automatic block.

Recommended Logging & Monitoring Sources

To have effective visibility into attempts to exploit this vulnerability, focus on:

  • Application logs capturing model loading calls
  • Container and orchestration logs that record service crashes
  • System crash logs and core dumps
  • Endpoint telemetry (process starts, exits, crashes)
  • Network telemetry in case an exploited process attempts outbound connections
  • Artifact repository logs showing .pth uploads/downloads

The more sources you centralize and correlate, the better you’ll detect suspicious activity.

Detection Challenges

  • No single signature exists. Pickle doesn’t have a fixed “exploit pattern,” and memory corruption shows up as unstable behavior, not a clean rule.
  • Malicious models can look normal at rest. A crafted .pth file may not appear obviously malicious just by looking at its bytes.
  • Crashes can have many causes. It takes correlation logic to link abnormal behavior to malicious input.

Mitigation and Prevention

The only fully reliable mitigation is to upgrade PyTorch to version 2.10.0 or higher. This version includes the corrected deserialization logic that eliminates the flaw in the unpickler.

Additionally:

  • Treat model files from external sources as untrusted input.
  • Scan and validate model artifacts before loading them.
  • Consider isolating model-loading processes in sandboxes or containers that have limited privileges.

If you find crashes or odd behavior during model loading, assume it may be a security issue and investigate with urgency.

Official Patch / Upgrade Link

Upgrade PyTorch to version 2.10.0 or later to eliminate this vulnerability:

👉 Official PyTorch 2.10.0 Release / Patch Announcement:
https://github.com/pytorch/pytorch/releases/tag/v2.10.0

Final Takeaway

CVE-2026-24747 is a high-risk PyTorch vulnerability where loading a malicious .pth model file can lead to memory corruption and potential remote code execution, even when “safe” loading options are used. Any system that processes untrusted or external model files is at risk. Detection is difficult because exploitation may only appear as crashes or abnormal behavior during model loading. The only reliable fix is upgrading PyTorch to version 2.10.0 or later and treating all model files as untrusted input.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.