VYPR
Critical severity9.8NVD Advisory· Published May 12, 2026· Updated May 13, 2026

CVE-2026-31214

CVE-2026-31214

Description

The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Stas00/ML Engineeringreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = commit 0099885db36a8f06556efe1faf552518852cb1e0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.