Critical severity9.8OSV Advisory· Published Aug 7, 2025· Updated Apr 15, 2026

CVE-2025-30404

Description

An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit d158236b1dc84539c1b16843bc74054c9dcba006.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
executorchPyPI	< 0.7.0	0.7.0
org.pytorch:executorch-androidMaven	< 0.7.0	0.7.0
github.com/pytorch/executorchSwiftURL	< 0.7.0	0.7.0

Affected products

Pytorch/ExecutorchOSV
Range: ciflow/binaries/all/sdym, ciflow/binaries/sdym, stable-2023-08-01, …

Patches

d158236b1dc8

Make sure allocate() doesn't overflow

https://github.com/pytorch/executorchMengwei LiuJul 22, 2025via ghsa

commit

1 file changed · +1 −1

runtime/core/memory_allocator.h+1 −1 modified

@@ -84,7 +84,7 @@ class MemoryAllocator {
 
     // If the end of this allocation exceeds the end of this allocator, print
     // error messages and return nullptr
-    if (end > end_) {
+    if (end > end_ || end < start) {
       ET_LOG(
           Error,
           "Memory allocation failed: %zuB requested (adjusted for alignment), %zuB available",

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hj95-mhgf-jxc4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-30404ghsaADVISORY
github.com/pytorch/executorch/commit/d158236b1dc84539c1b16843bc74054c9dcba006nvdWEB
www.facebook.com/security/advisories/cve-2025-30404nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000