Bug 2364237 (CVE-2025-4287)

Summary: CVE-2025-4287 PyTorch: PyTorch nccl.py torch.cuda.nccl.reduce denial of service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A problematic vulnerability has been identified in PyTorch version 2.6.0 with CUDA 12.4. The affected component is the torch.cuda.nccl.reduce function within the torch/cuda/nccl.py file. Exploitation of this vulnerability can lead to a denial-of-service condition. The attack can be launched from the local host. Public exploit code for this issue is currently available, increasing the potential for exploitation.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2364308, 2364309, 2364310    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-05 21:01:13 UTC
A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function torch.cuda.nccl.reduce of the file torch/cuda/nccl.py. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The patch is identified as 5827d2061dcb4acd05ac5f8e65d8693a481ba0f5. It is recommended to apply a patch to fix this issue.