VYPR
← All advisories
Unrated severityNVD Advisory· Published May 24, 2026

Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers

CVE-2026-4372

Description

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the _attn_implementation_internal field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard AutoModelForCausalLM.from_pretrained() API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the trust_remote_code security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A critical RCE vulnerability in HuggingFace transformers <5.3.0 allows attackers to execute arbitrary code via malicious config.json files.

Vulnerability

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0 [1][2]. The bug resides in the configuration deserialization logic, where the _attn_implementation_internal field in a config.json file is set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads a model using AutoModelForCausalLM.from_pretrained(), the library downloads and executes arbitrary Python code from the attacker's repository without proper sandboxing [1]. This affects the standard documented API usage pattern.

Exploitation

An attacker needs to craft a config.json file containing the _attn_implementation_internal field pointing to a malicious repository on the HuggingFace Hub. The victim must load the model using AutoModelForCausalLM.from_pretrained(), which triggers the automatic download and execution of the attacker's code [1][2]. No authentication or special privileges are required beyond hosting the malicious model on the Hub; the attack bypasses the trust_remote_code security mechanism and operates invisibly to the victim [2].

Impact

Successful exploitation leads to arbitrary code execution with the victim's full OS privileges. The attacker gains complete control over the affected system, including the ability to read, modify, or exfiltrate data, install malware, or pivot to other internal systems [2]. The impact is severe, with CVSS 9.8, as it allows full compromise of confidentiality, integrity, and availability [2].

Mitigation

Users should upgrade to HuggingFace transformers version 5.3.0 or later, which fixes the vulnerability by blocking deserialization of the _attn_implementation_internal and _experts_implementation_internal fields in the configuration class, and by restricting kernel loading to only the trusted kernels-community repository [1]. No workaround exists for unpatched versions; upgrading is the sole mitigation [2]. The fix was committed on 2026-05-24 [1].

References
  1. fix security vuln · huggingface/transformers@a7f8e7f
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
a7f8e7ff37d8

fix security vuln

https://github.com/huggingface/transformersCyril VallezMar 2, 2026via nvd-ref
commit
2 files changed · +22 9
  • src/transformers/configuration_utils.py+7 5 modified
    @@ -263,11 +263,13 @@ def __init__(
 
         # Additional attributes without default values
         for key, value in kwargs.items():
-            try:
-                setattr(self, key, value)
-            except AttributeError as err:
-                logger.error(f"Can't set {key} with value {value} for {self}")
-                raise err
+            # Check this to avoid deserializing problematic fields from hub configs - they should use the public field
+            if key not in ("_attn_implementation_internal", "_experts_implementation_internal"):
+                try:
+                    setattr(self, key, value)
+                except AttributeError as err:
+                    logger.error(f"Can't set {key} with value {value} for {self}")
+                    raise err
 
     def _create_id_label_maps(self, num_labels: int):
         self.id2label = {i: f"LABEL_{i}" for i in range(num_labels)}
  • src/transformers/integrations/hub_kernels.py+15 4 modified
    @@ -290,10 +290,21 @@ def register_kernel_mapping_transformers(*args, **kwargs):
 
 def is_kernel(attn_implementation: str | None) -> bool:
     """Check whether `attn_implementation` matches a kernel pattern from the hub."""
-    return (
-        attn_implementation is not None
-        and re.search(r"^[^/:]+/[^/:]+(?:@[^/:]+)?(?::[^/:]+)?$", attn_implementation) is not None
-    )
+    if attn_implementation is None:
+        return False
+    match_object = re.search(r"^(?:paged\|)?([^/:]+)/[^/:]+(?:@[^/:]+)?(?::[^/:]+)?$", attn_implementation)
+    if match_object is not None:
+        # Due to security reason, we only allow kernels from the `kernels-community` repo, as otherwise loading
+        # random kernels will lead to arbitrary code execution
+        repo_id = match_object.group(1)
+        if repo_id != "kernels-community":
+            logger.warning_once(
+                "For security reasons, we currently only accept kernels from the `kernels-community` repository. We "
+                f"will skip kernel from `{repo_id}`"
+            )
+            return False
+        return True
+    return False
 
 
 def load_and_register_attn_kernel(

Vulnerability mechanics

Root cause

"Unfiltered deserialization of the internal `_attn_implementation_internal` field from a model's `config.json` leads to unsandboxed execution of arbitrary code downloaded from an attacker-controlled HuggingFace Hub repository."

Attack vector

An attacker crafts a malicious `config.json` containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID (e.g., `attacker/malicious-kernel`). When a victim loads the model via `AutoModelForCausalLM.from_pretrained()`, the library deserializes this internal field [patch_id=2357168]. The `is_kernel()` function validates the field against a regex that previously accepted any `org/repo` pattern, and `load_and_register_attn_kernel()` downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges [patch_id=2357168]. The attack bypasses the `trust_remote_code` mechanism because kernel loading is treated as a trusted internal operation, making the exploit invisible to the victim.

Affected code

The vulnerability spans two files. In `src/transformers/configuration_utils.py`, the `__init__` method blindly calls `setattr(self, key, value)` for every key in `kwargs`, allowing the internal field `_attn_implementation_internal` to be deserialized from a malicious `config.json` [patch_id=2357168]. In `src/transformers/integrations/hub_kernels.py`, the `is_kernel()` function previously accepted any repository path matching a simple regex, and `load_and_register_attn_kernel()` would download and execute arbitrary code from that repository [patch_id=2357168].

What the fix does

The patch introduces two complementary fixes [patch_id=2357168]. In `configuration_utils.py`, the `__init__` method now skips `setattr()` for the keys `_attn_implementation_internal` and `_experts_implementation_internal`, preventing attackers from injecting these internal fields via a malicious `config.json`. In `hub_kernels.py`, the `is_kernel()` function now extracts the repository owner from the kernel path and rejects any repository that is not `kernels-community`, adding a hard allowlist that prevents arbitrary code execution from untrusted repositories [patch_id=2357168].

Preconditions

  • inputVictim must load a model using AutoModelForCausalLM.from_pretrained() with a config.json that contains the _attn_implementation_internal field
  • configAttacker must host a malicious repository on the HuggingFace Hub containing arbitrary Python code
  • networkVictim's environment must have network access to the HuggingFace Hub to download the attacker's kernel

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.