CVE-2026-47748
Received Received - Intake
Out-of-Bounds Read in Stable Diffusion.cpp PyTorch Checkpoint Parsing

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing. The pickle .ckpt parser in src/model.cpp did not consistently check that enough input remained before reading opcode arguments or advancing the parser buffer with a crafted or truncated .ckpt file. Throughout the pickle parser, opcode handlers advanced the parser position with expressions such as buffer += N without first checking that buffer + N <= buffer_end. A truncated file could therefore cause reads past the end of the metadata buffer. LibFuzzer found crashes in under one second using malformed checkpoint inputs. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. This issue has been fixed in version master-584-0a7ae07. If developers are unable to immediately update their applications, they can work around this issue by ensuring they do not load .ckpt checkpoint files from untrusted sources. They should prefer trusted model sources and safer formats such as .safetensors where possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-47748
EUVD
EUVD-2026-37137
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47748 is a vulnerability in the stable-diffusion.cpp library, which is used for running diffusion models like Stable Diffusion. The issue arises from an out-of-bounds read error in the PyTorch checkpoint (.ckpt) pickle opcode parser located in src/model.cpp. Specifically, the parser does not consistently check if there is enough input data before reading opcode arguments or advancing the parser buffer. This means that a crafted or truncated .ckpt file can cause the parser to read beyond the end of the metadata buffer, potentially leading to crashes.

The vulnerability is triggered when an application loads a malicious or malformed .ckpt file from an untrusted source. The problem was discovered through fuzz testing, which caused crashes within seconds. The issue has been fixed in version master-584-0a7ae07 by refactoring checkpoint loading to restrict legacy PyTorch checkpoint support and adding proper checks.

Impact Analysis

This vulnerability can impact you by causing denial of service (DoS) in applications that use affected versions of stable-diffusion.cpp to load .ckpt model files from untrusted sources. A maliciously crafted or truncated checkpoint file can trigger out-of-bounds reads, leading to application crashes.

The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a model downloaded from a sharing site. If exploited, it can disrupt availability by crashing the process handling the model loading.

To mitigate the impact, developers should update to the fixed version (master-584-0a7ae07 or later), avoid loading .ckpt files from untrusted sources, and prefer safer formats like .safetensors.

Detection Guidance

This vulnerability manifests as out-of-bounds reads causing crashes when loading malformed or truncated .ckpt checkpoint files using the stable-diffusion.cpp library. Detection involves monitoring for application crashes or abnormal behavior when loading .ckpt files.

Since the issue is triggered by loading crafted or truncated .ckpt files, you can detect attempts by checking logs or monitoring processes that load such files.

No specific detection commands are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability immediately, you should avoid loading .ckpt checkpoint files from untrusted sources.

Prefer using safer model formats such as .safetensors whenever possible.

Upgrade to the patched version of stable-diffusion.cpp, specifically version master-584-0a7ae07 or later, which includes fixes restricting legacy checkpoint loading and adds error handling.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47748. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart