CVE-2026-4538

MEDIUM

PyTorch pt2 Loading deserialization

Title source: cna

Description

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

References (5)

[Vdb Entry] https://vuldb.com/?id.352326

[Signature, Permissions Required] https://vuldb.com/?ctiid.352326

[Third Party Advisory] https://vuldb.com/?submit.774681

[Patch] https://github.com/pytorch/pytorch/pull/176791

[Product] https://github.com/pytorch/pytorch/

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 6.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-502

Status published

Products (2)

linuxfoundation/pytorch 2.10.0

n/a/PyTorch 2.10.0

Published Mar 22, 2026

Tracked Since Mar 22, 2026