It has been found that PyTorch's checkpoint loading mechanism has a serious flaw that lets attackers use malicious model files to run arbitrary code This article explores vulnerabilities pytorch weights_only. . When processing checkpoint files, the weights_only unpickler has a flaw that prevents it from correctly validating pickle opcodes and storage metadata.

With a CVSS v3 score of 9.8, researchers have designated this vulnerability as CVE-2026-24747, indicating serious risk in terms of availability, confidentiality, and integrity. Overview of Vulnerabilities PyTorch's weights_only feature, which was intended to securely load model checkpoints by limiting pickle operations, is the source of the vulnerability due to insufficient validation. However, by creating malicious checkpoint files (.pth) that take advantage of the unpickler's flaws, attackers can get around these limitations.

The malicious payload runs with the same privileges as the victim's process when a user loads such a file using torch.load() with weights_only=True. This attack can affect PyTorch versions 2.9.1 and lower. Although there are no requirements for privilege escalation, the vulnerability necessitates user interaction; the victim must load the malicious checkpoint file.

The attack vector is categorized as low-complexity network-based, which makes it relatively easy for attackers to exploit through compromised repositories or distributed malicious models. Two main attack vectors are involved in the main problem. First, heap memory corruption can be caused by attackers using SETITEM and SETITEMS opcodes that operate on non-dictionary types. Second, malicious archives can declare mismatches between the storage element count and actual data present, allowing memory writes beyond expected boundaries.

By overwriting crucial memory areas during the unpickling process, these memory corruption techniques allow arbitrary code execution. With complete control over the victim's execution context, the attacker may be able to compromise the PyTorch application's host system. Versions of PyTorch up to 2.9.1 are susceptible.

In version 2.10.0 and later, the development team fixed this problem by properly validating pickle opcodes and storage metadata. To reduce this risk, users should update to PyTorch 2.10.0 or later right away. Patching to version 2.10.0 or later should be a top priority for PyTorch-using organizations. Users should be extremely cautious when loading checkpoint files from unreliable sources until updates are implemented.

Machine learning practitioners should verify the integrity and origin of model files before loading them, especially in production environments.

Using file integrity monitoring to identify unauthorized checkpoint modifications and putting in place network-level controls to limit the loading of external model files are two more security measures. To make sure authenticity verification procedures are in place, teams should also examine their model distribution pipelines. Details of the Attribute CVE-2026-24747 is the CVE ID.

High Severity/9.8 CVSS Research environments and machine learning applications are at serious risk due to this PyTorch vulnerability. Prompt patching is crucial due to the combination of network accessibility, low attack complexity, and remote code execution capability. Strict controls over model file sources should be put in place, and all PyTorch deployments should be updated to version 2.10.0 or later.