Safety Broken: PyTorch “Safe” Mode Bypassed by Critical RCE Flaw

The development team behind PyTorch, the backbone of modern deep learning and AI research, has patched a high-severity vulnerability that breaks the trust of its most security-conscious feature. Tracked as CVE-2026-24747, the flaw carries a CVSS score of 8.8 and allows attackers to execute arbitrary code even when users enable the specific setting designed to prevent it.

The vulnerability resides in the weights_only=True unpickler—a mechanism explicitly intended to load model data safely without executing code.

In the world of Python AI, the torch.load() function is a standard tool for loading saved model checkpoints. Historically, this relied on Python’s pickle module, which is notoriously insecure because it can execute arbitrary instructions. To combat this, PyTorch introduced the weights_only=True flag, promising to restrict loading to just the data (weights) and block executable code.

However, security researchers discovered that this shield was cracked. The advisory reveals that “the weights_only=True unpickler failed to properly validate pickle opcodes and storage metadata”.

The flaw is technically a memory corruption issue that escalates into code execution. By crafting a malicious checkpoint file (.pth), an attacker can trigger two specific failures:

Heap Memory Corruption: By applying SETITEM or SETITEMS opcodes to types that aren’t dictionaries.

• Storage Mismatch: Creating a “storage size mismatch between declared element count and actual data in the archive”.
• When a user loads this poisoned file—believing they are safe because they used the restricted mode—the unpickler corrupts memory, potentially allowing the attacker to hijack the victim’s process.

This vulnerability is particularly concerning for the AI supply chain, where researchers and engineers frequently download and test model checkpoints from public repositories like Hugging Face or GitHub.

“An attacker who can convince a user to load a malicious checkpoint file may achieve arbitrary code execution in the context of the victim’s process,” the advisory warns.

The vulnerability affects all PyTorch versions 2.9.1 and earlier.

The PyTorch team has released a fix in version 2.10.0. Developers and data scientists are urged to update their environments immediately to ensure that their “safe” loading practices are actually secure.

Related Posts:

• Facebook will open source PyTorch 1.0 AI framework
• CheckPoint: PDF files can be used to steal Windows credentials
• Critical PyTorch Vulnerability CVE-2025-32434 Allows Remote Code Execution
• CVE-2024-5480 (CVSS 10): Critical RCE Vulnerability in PyTorch Distributed RPC Framework