CVE-2026-31214 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 13, 2026
ml-engineering torch-checkpoint-shrink.py - Insecure Deserialization
Published: May 12, 2026Updated: May 13, 2026Remote Exploitable
Overview
ml-engineering torch-checkpoint-shrink.py script contains an insecure deserialization caused by use of torch.load() without weights_only=True, letting remote attackers execute arbitrary code via crafted checkpoint files, exploit requires malicious checkpoint file.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Remote attackers can execute arbitrary code in the context of the user running the script, potentially leading to full system compromise.
Mitigation
Update the script to use torch.load() with weights_only=True or apply security patches to restrict deserialization.
References
Related Resources
Details
- CVE ID
- CVE-2026-31214
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- insecure_deserialization
- Status
- rejected
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H