CVE-2026-24747
HIGHPyTorch < 2.10.0 - Remote Code Execution via Malicious Checkpoint File
Title source: llmDescription
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p
Exploit, Issue Tracking x_refsource_misc
https://github.com/pytorch/pytorch/issues/163105
Broken Link x_refsource_misc
https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139
Product, Release Notes x_refsource_misc
https://github.com/pytorch/pytorch/releases/tag/v2.10.0
Scores
CVSS v3
8.8
EPSS
0.0063
EPSS Percentile
45.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
CWE-502
Status
published
Products (2)
linuxfoundation/pytorch
< 2.10.0
pypi/pytorch
0 - 2.10.0PyPI
Published
Jan 27, 2026
Tracked Since
Feb 18, 2026