Critical severity9.8NVD Advisory· Published Aug 8, 2025· Updated Apr 15, 2026
CVE-2025-54952
CVE-2025-54952
Description
An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
executorchPyPI | <= 0.6.0 | — |
Patches
18f062d3f661eCheck overflow in allocation
1 file changed · +12 −1
runtime/core/memory_allocator.h+12 −1 modified@@ -12,6 +12,8 @@ #include <cinttypes> #include <cstdint> +#include <c10/util/safe_numerics.h> + #include <executorch/runtime/core/error.h> #include <executorch/runtime/platform/assert.h> #include <executorch/runtime/platform/compiler.h> @@ -137,7 +139,16 @@ class MemoryAllocator { // Some users of this method allocate lists of pointers, causing the next // line to expand to `sizeof(type *)`, which triggers a clang-tidy warning. // NOLINTNEXTLINE(bugprone-sizeof-expression) - return static_cast<T*>(this->allocate(size * sizeof(T), alignment)); + size_t bytes_size = 0; + bool overflow = c10::mul_overflows(size, sizeof(T), &bytes_size); + if (overflow) { + ET_LOG( + Error, + "Failed to allocate list of type %zu: size * sizeof(T) overflowed", + size); + return nullptr; + } + return static_cast<T*>(this->allocate(bytes_size, alignment)); } // Returns the allocator memory's base address.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.