CVE-2026-47749
Analyzed Analyzed - Analysis Complete

Heap Buffer Overflow in stable-diffusion.cpp

Vulnerability report for CVE-2026-47749, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the SHORT_BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. A malicious checkpoint file could cause heap corruption through memcpy with an attacker-controlled length. This may lead to process crash and could potentially be leveraged for code execution depending on heap layout. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by not loading .ckpt checkpoint files from untrusted sources, and referring to trusted model sources and safer formats such as .safetensors where possible.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-25
Generated
2026-07-07
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
leejet stable-diffusion.cpp to master-584-0a7ae07 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in stable-diffusion.cpp allows for heap buffer overflow through crafted .ckpt files, potentially leading to process crashes or code execution. This can impact confidentiality, integrity, and availability of systems using affected versions.

Such impacts on confidentiality, integrity, and availability could affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system reliability.

However, the vulnerability requires loading untrusted checkpoint files, so compliance risk depends on whether untrusted or malicious files are processed.

Mitigations include upgrading to patched versions, avoiding untrusted .ckpt files, and using safer formats like .safetensors, which can help maintain compliance.

Executive Summary

CVE-2026-47749 is a heap buffer overflow vulnerability in the stable-diffusion.cpp library, specifically in the SHORT_BINUNICODE parsing of PyTorch checkpoint (.ckpt) files.

The issue is caused by sign confusion in the opcode length field, where a crafted .ckpt file can use a negative signed value to trigger a memcpy operation with an extremely large length, leading to immediate heap corruption.

This vulnerability can cause process crashes and potentially allow code execution depending on the heap layout.

It affects versions of stable-diffusion.cpp prior to master-584-0a7ae07 and requires loading a malicious .ckpt file from an untrusted source.

The issue has been fixed in version master-584-0a7ae07 by restricting checkpoint loading.

Impact Analysis

If you use affected versions of stable-diffusion.cpp to load untrusted .ckpt model files, a maliciously crafted checkpoint file could cause heap corruption.

This can lead to application crashes and, depending on the heap layout, may allow an attacker to execute arbitrary code.

Such impacts affect the confidentiality, integrity, and availability of the affected application.

The attack requires local loading of a malicious file, but no special privileges are needed.

Detection Guidance

This vulnerability arises when an application using stable-diffusion.cpp loads a malicious .ckpt PyTorch checkpoint file that triggers a heap buffer overflow. Detection involves monitoring for crashes or abnormal behavior in applications loading .ckpt files, especially if these files come from untrusted sources.

Since the issue is triggered by loading crafted .ckpt files, you can detect attempts by checking for the presence and usage of such files in your environment.

Suggested commands to help detect potential exploitation attempts include:

  • Use file integrity monitoring or hash checks on .ckpt files to detect unexpected or untrusted files.
  • Monitor application logs for crashes or errors related to stable-diffusion.cpp or model loading.
  • Use system tools like `strace` or `ltrace` on the application process to observe file access and memory operations when loading .ckpt files.
  • Run commands to find .ckpt files, for example: `find /path/to/models -name '*.ckpt'` to audit checkpoint files.
  • If you have debugging enabled, use tools like `gdb` to catch heap corruption or crashes during model loading.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade stable-diffusion.cpp to version master-584-0a7ae07 or later, which contains the patch that fixes this vulnerability.
  • Avoid loading .ckpt checkpoint files from untrusted or unknown sources to prevent exploitation.
  • Prefer using safer model formats such as .safetensors instead of .ckpt files.
  • If upgrading immediately is not possible, implement strict validation or sandboxing around the loading of .ckpt files to limit potential damage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart