Medium severity5.3NVD Advisory· Published Mar 22, 2026· Updated Apr 29, 2026

CVE-2026-4538

Description

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

Affected products

Linux Foundation/Pytorch
cpe:2.3:a:linuxfoundation:pytorch:2.10.0:*:*:*:*:python:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pytorch/pytorch/pull/176791nvdIssue TrackingPatch
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry

News mentions

Build Application Firewalls Aim to Stop the Next Supply Chain Attack
SecurityWeek · May 11, 2026
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
The Hacker News · May 10, 2026
Backdoored PyTorch Lightning package drops credential stealer
BleepingComputer · May 4, 2026
TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)
SANS Internet Storm Center · May 4, 2026
PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials
The Hacker News · Apr 30, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000