Critical severity9.8NVD Advisory· Published May 12, 2026· Updated May 13, 2026
CVE-2026-31214
CVE-2026-31214
Description
The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: = commit 0099885db36a8f06556efe1faf552518852cb1e0
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.