Bug 2360999 (CVE-2025-32434) - CVE-2025-32434 PyTorch: PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
Summary: CVE-2025-32434 PyTorch: PyTorch: `torch.load` with `weights_only=True` leads ...
Keywords:
Status: NEW
Alias: CVE-2025-32434
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2361314 2361306 2361307 2361308 2361309 2361310 2361311 2361312 2361313 2361315 2361316 2361317 2361318 2361319 2361320
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-18 16:01 UTC by OSIDB Bzimport
Modified: 2026-02-01 22:48 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-02-01 22:46:33 UTC
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-04-18 16:01:26 UTC 
PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.
Comment 2 Teron Seen 2025-07-31 22:00:29 UTC Comment hidden (spam)
Comment 3 Alexander Lent 2025-12-25 01:38:53 UTC 
The fixing commit is https://github.com/pytorch/pytorch/commit/8d4b8a920a2172523deb95bf20e8e52d50649c04
Comment 4 piterfreide3 2026-01-31 20:22:25 UTC Comment hidden (spam)
Comment 6 Jeff Fearn 🐞 2026-02-01 22:47:41 UTC 
oops
Note You need to log in before you can comment on or make changes to this bug.