Listen to this Post
The vulnerability resides in PyTorch’s `weights_only=True` unpickler, designed to safely load only model tensors from `.pth` checkpoint files. The security mechanism failed to properly validate low-level Pickle opcodes and tensor storage metadata during deserialization. Specifically, it incorrectly allowed the `SETITEM` and `SETITEMS` opcodes to be executed on non-dictionary Python objects. This flaw, combined with a lack of validation for declared storage size versus actual archived data, enables an attacker to craft a malicious file that corrupts the heap’s memory layout. By precisely manipulating these primitives, an attacker can overwrite critical pointers or data structures in memory. When the corrupted memory is later accessed or used by the PyTorch process, it can lead to a crash, data corruption, or the execution of attacker-controlled code, effectively bypassing the intended `weights_only` safety restriction.
Platform: PyTorch
Version: < 2.3.0
Vulnerability : Memory Corruption
Severity: Critical
Date: 2024-05-16
Prediction: 2024-05-30
What Undercode Say:
Analytics
Find potentially vulnerable load calls in codebase
grep -r "torch.load.weights_only=True" /path/to/project/
Example of a safe load call (but vulnerable before patch)
import torch
model = torch.load('checkpoint.pth', weights_only=True)
Check PyTorch version
python -c "import torch; print(torch.<strong>version</strong>)"
How Exploit
Malicious checkpoint payload structure import pickle, torch class MaliciousTensor: def <strong>reduce</strong>(self): Corrupting SETITEM opcode on non-dict return (setattr, (..., ..., ...)) torch.save(MaliciousTensor(), 'exploit.pth')
Protection from this CVE
- Update PyTorch
- Verify checkpoint sources
- Use virtual environments
- Temporary workaround: Avoid `weights_only=True`
Impact
- Arbitrary Code Execution
- Memory Corruption
- Bypass Safety Features
- Local Privilege Escalation
- Process Crash
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

