Microsoft Qlib Fit Function Deserialization Flaw Allows Remote Code Execution
A deserialization vulnerability in Microsoft Qlib's fit function, disclosed as ZDI-26-274, allows remote code execution via untrusted data, with a CVSS score of 7.8.
On April 15, 2026, the Zero Day Initiative disclosed a critical deserialization vulnerability in Microsoft Qlib, tracked as ZDI-26-274 (ZDI-CAN-27211). The flaw resides in the `fit` function of Qlib, a machine learning library, and allows remote code execution when a user visits a malicious page or opens a malicious file. The vulnerability has a CVSS score of 7.8, indicating high severity, and requires user interaction to exploit.
The specific issue stems from the lack of proper validation of user-supplied data, leading to deserialization of untrusted data. An attacker can leverage this to execute arbitrary code in the context of root, potentially compromising the entire system. The vulnerability was reported to Microsoft on May 22, 2025, and was fixed by the vendor on May 31, 2025, according to the advisory.
Microsoft Qlib is an open-source AI platform used for quantitative investment and machine learning tasks. The library is widely adopted in financial and research sectors, making this vulnerability particularly concerning for organizations relying on Qlib for data analysis and model training. The attack vector is local, meaning an attacker must have some form of access to the system, but the impact is severe due to the potential for full system compromise.
The disclosure timeline shows that Microsoft patched the vulnerability nearly a year before the public advisory was released. This suggests that users who have kept their Qlib installations updated are protected. However, organizations that have not applied the patch remain at risk. The advisory credits Peter Girnus (@gothburz) of Trend Micro's Zero Day Initiative for discovering the flaw.
While no CVE identifier has been assigned yet, the advisory provides sufficient details for security teams to identify and remediate the issue. The vulnerability is classified as a deserialization flaw, a common but dangerous class of bugs that can lead to remote code execution. Microsoft's fix addresses the root cause by implementing proper validation of serialized data.
Given the high CVSS score and the potential for code execution, organizations using Microsoft Qlib should verify that they are running a version patched after May 31, 2025. The advisory also highlights the importance of user awareness, as exploitation requires interaction such as visiting a malicious page or opening a malicious file. Security teams should educate users about the risks of untrusted content.
This disclosure adds to a growing list of deserialization vulnerabilities in popular software libraries. As machine learning and AI tools become more integrated into critical workflows, securing them against such flaws is paramount. The coordinated disclosure process between Microsoft and ZDI ensured that a patch was available before public details were released, allowing users to protect their systems proactively.