PYTORCH has patched a high-severity vulnerability, tracked as CVE-2026-24747, with a CVSS score of 8.8 that allows attackers to execute arbitrary code even when users enable the weights_only=True safe-loading setting. The flaw lies in the weights_only=True unpickler, designed to load model data without executing code, and stems from it failing to properly validate pickle opcodes and storage metadata.
By crafting a malicious checkpoint file with a .pth extension, an attacker can trigger heap memory corruption or a storage size mismatch, potentially hijacking the victim’s process when the poisoned file is loaded. The issue affects all PyTorch versions 2.9.1 and earlier, and a fix has been released in version 2.10.0, with developers and data scientists urged to update their environments immediately to ensure that safe loading practices are actually secure.
This vulnerability raises concerns for the AI supply chain, where researchers commonly download model checkpoints from public repositories such as Hugging Face or GitHub. The advisory notes that an attacker who can persuade a user to load a malicious checkpoint may achieve arbitrary code execution in the victim’s process.