CVE-2026-47747
Awaiting Analysis Awaiting Analysis - Queue
Heap Buffer Overflow in Stable Diffusion.cpp

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by only loading .ckpt checkpoint files from trusted sources and preferring trusted model sources and safer formats such as .safetensors where possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-17
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-47747
EUVD
EUVD-2026-37204
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
leejet stable_diffusion.cpp to master-584-0a7ae07 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-47747 is a heap buffer overflow in the stable-diffusion.cpp library's pickle .ckpt parser, specifically in the BINUNICODE opcode handler. It arises from a sign confusion issue where a negative signed integer length value is incorrectly interpreted as a very large unsigned value during a memcpy operation. This happens because the length field, when negative (e.g., -1), passes a check that it is greater than 512, then is used as a size_t in memcpy, causing an overflow.

An attacker can exploit this by crafting a malicious .ckpt file that triggers this overflow, leading to heap corruption. This can cause the application to crash or, depending on the heap layout, potentially allow code execution. The vulnerability affects the confidentiality, integrity, and availability of the system using the vulnerable library.

Impact Analysis

This vulnerability can impact you by causing heap corruption when loading a maliciously crafted .ckpt file in the stable-diffusion.cpp library. The immediate consequence may be a process crash, resulting in denial of service.

More severely, depending on the heap layout, the heap buffer overflow could be exploited to execute arbitrary code, compromising the confidentiality, integrity, and availability of your system or application.

The attack requires that you load a .ckpt checkpoint file from an untrusted source, so using only trusted model sources or safer formats like .safetensors can mitigate the risk.

Detection Guidance

This vulnerability is triggered by loading a specially crafted .ckpt checkpoint file that exploits a heap buffer overflow in the BINUNICODE opcode handler of the stable-diffusion.cpp library. Detection involves identifying if any untrusted or malicious .ckpt files are being loaded by your applications using this library.

Since the issue arises from processing .ckpt files, you can detect potential exploitation attempts by monitoring file access and usage of .ckpt files, especially those from untrusted sources.

  • Check for presence of .ckpt files in your system or application directories: `find /path/to/models -name '*.ckpt'`
  • Monitor application logs or runtime behavior for crashes or heap corruption related to loading .ckpt files.
  • If you have access to the source or debugging environment, consider adding instrumentation or logging around the BINUNICODE opcode handler in src/model.cpp to detect abnormal length values or memcpy calls with suspiciously large sizes.

There are no specific built-in commands or signatures provided to detect this vulnerability automatically; detection relies on monitoring usage of .ckpt files and ensuring they come from trusted sources.

Mitigation Strategies

The primary mitigation is to upgrade to the patched version of stable-diffusion.cpp, specifically version master-584-0a7ae07 or later, where the vulnerability has been fixed.

If immediate upgrading is not possible, you should:

  • Only load .ckpt checkpoint files from trusted sources to avoid maliciously crafted files.
  • Prefer using safer model formats such as .safetensors instead of .ckpt files.
  • Restrict or monitor the loading of legacy PyTorch checkpoint files (.pt or .pth) as the patched version introduces restricted support for these formats.
Compliance Impact

The vulnerability in stable-diffusion.cpp involves a heap buffer overflow that can lead to heap corruption, process crashes, or potentially code execution when loading malicious .ckpt files from untrusted sources.

This vulnerability impacts confidentiality, integrity, and availability of the affected system, which are core principles in many compliance standards such as GDPR and HIPAA.

If exploited, unauthorized code execution or data corruption could lead to breaches of sensitive data or system downtime, thereby potentially causing non-compliance with regulations that require protection of personal data and system integrity.

Mitigation involves applying the patch or only loading checkpoint files from trusted sources and preferring safer formats, which helps maintain compliance by reducing the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47747. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart