CVE-2026-47749
Received Received - Intake
Heap Buffer Overflow in stable-diffusion.cpp

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the SHORT_BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. A malicious checkpoint file could cause heap corruption through memcpy with an attacker-controlled length. This may lead to process crash and could potentially be leveraged for code execution depending on heap layout. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by not loading .ckpt checkpoint files from untrusted sources, and referring to trusted model sources and safer formats such as .safetensors where possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-47749
EUVD
EUVD-2026-37138
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47749 is a heap buffer overflow vulnerability in the stable-diffusion.cpp library, specifically in the SHORT_BINUNICODE parsing of PyTorch checkpoint (.ckpt) files.

The issue is caused by sign confusion in the opcode length field, where a crafted .ckpt file can use a negative signed value to trigger a memcpy operation with an extremely large length, leading to immediate heap corruption.

This vulnerability can cause process crashes and potentially allow code execution depending on the heap layout.

It affects versions of stable-diffusion.cpp prior to master-584-0a7ae07 and requires loading a malicious .ckpt file from an untrusted source.

The issue has been fixed in version master-584-0a7ae07 by restricting checkpoint loading.

Impact Analysis

If you use affected versions of stable-diffusion.cpp to load untrusted .ckpt model files, a maliciously crafted checkpoint file could cause heap corruption.

This can lead to application crashes and, depending on the heap layout, may allow an attacker to execute arbitrary code.

Such impacts affect the confidentiality, integrity, and availability of the affected application.

The attack requires local loading of a malicious file, but no special privileges are needed.

Detection Guidance

This vulnerability arises when an application using stable-diffusion.cpp loads a malicious .ckpt PyTorch checkpoint file that triggers a heap buffer overflow. Detection involves monitoring for crashes or abnormal behavior in applications loading .ckpt files, especially if these files come from untrusted sources.

Since the issue is triggered by loading crafted .ckpt files, you can detect attempts by checking for the presence and usage of such files in your environment.

Suggested commands to help detect potential exploitation attempts include:

  • Use file integrity monitoring or hash checks on .ckpt files to detect unexpected or untrusted files.
  • Monitor application logs for crashes or errors related to stable-diffusion.cpp or model loading.
  • Use system tools like `strace` or `ltrace` on the application process to observe file access and memory operations when loading .ckpt files.
  • Run commands to find .ckpt files, for example: `find /path/to/models -name '*.ckpt'` to audit checkpoint files.
  • If you have debugging enabled, use tools like `gdb` to catch heap corruption or crashes during model loading.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade stable-diffusion.cpp to version master-584-0a7ae07 or later, which contains the patch that fixes this vulnerability.
  • Avoid loading .ckpt checkpoint files from untrusted or unknown sources to prevent exploitation.
  • Prefer using safer model formats such as .safetensors instead of .ckpt files.
  • If upgrading immediately is not possible, implement strict validation or sandboxing around the loading of .ckpt files to limit potential damage.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart