Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4538 is a vulnerability in PyTorch 2.10.0 related to insecure deserialization in the function torch.export.load when loading .pt2 model files.'}, {'type': 'paragraph', 'content': 'The issue occurs because the loading function can fall back to using Python\'s pickle module with weights_only=False if the model\'s weights configuration contains "use_pickle": true or if an exception triggers a fallback. This fallback allows execution of arbitrary code embedded in malicious pickle payloads.'}, {'type': 'paragraph', 'content': 'An attacker with local access can exploit this by crafting a malicious .pt2 file that executes arbitrary commands during loading.'}, {'type': 'paragraph', 'content': 'To mitigate this, a new boolean parameter weights_only was introduced to torch.export.load, which when set to True, blocks the insecure fallback and prevents unsafe pickle deserialization, thus eliminating the arbitrary code execution risk.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker with local access to execute arbitrary code on your system by loading a specially crafted malicious .pt2 PyTorch model file.

This could lead to unauthorized actions such as running malicious commands, compromising system integrity, stealing data, or further escalating privileges.

Since the exploit requires local access, remote exploitation is not possible, but insider threats or compromised local environments could be at risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves insecure deserialization in PyTorch's torch.export.load function when loading .pt2 model files with the use_pickle option enabled or when a fallback to pickle deserialization occurs."}, {'type': 'paragraph', 'content': 'Detection can focus on identifying usage of torch.export.load with .pt2 files that have the weights configuration set to use_pickle: true or monitoring for fallback deserialization behavior.'}, {'type': 'paragraph', 'content': 'Since the exploit is local and involves loading malicious .pt2 files, you can check for suspicious .pt2 files or scripts invoking torch.export.load without the weights_only=True parameter.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but you might consider:'}, {'type': 'list_item', 'content': 'Searching for .pt2 files with use_pickle enabled in their configuration.'}, {'type': 'list_item', 'content': 'Auditing Python scripts or environments for calls to torch.export.load without weights_only=True.'}, {'type': 'list_item', 'content': 'Monitoring process execution for unexpected commands triggered during model loading.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, explicitly set the weights_only parameter to true when calling torch.export.load to prevent insecure fallback to pickle deserialization.

This change blocks unsafe deserialization paths and eliminates the arbitrary code execution risk while maintaining compatibility with existing workflows.

Additionally, avoid loading untrusted or suspicious .pt2 files that may contain malicious pickle payloads.

Useful 0 Not Useful 0