CVE-2025-3000

Published Mar 31, 2025

Last updated a year ago

CVSS medium 4.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-3000 identifies a vulnerability present in PyTorch version 2.6.0. This flaw specifically impacts the `torch.jit.script` function within the framework. The manipulation of this function can lead to memory corruption. It is possible to launch an attack exploiting this vulnerability on the local host, and details of an exploit have been publicly disclosed.

Description
A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function torch.jit.script. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
Source
cna@vuldb.com
NVD status
Analyzed
Products
pytorch

Risk scores

CVSS 4.0

Type
Secondary
Base score
4.8
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
5.3
Impact score
3.4
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Severity
MEDIUM

CVSS 2.0

Type
Secondary
Base score
4.3
Impact score
6.4
Exploitability score
3.1
Vector string
AV:L/AC:L/Au:S/C:P/I:P/A:P

Weaknesses

cna@vuldb.com
CWE-119

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

4

  1. % pip-audit Found 1 known vulnerability in 1 package Name Version ID Fix Versions ----- ------- ------------- ------------ torch 2.12.0 CVE-2025-3000

    @h_okumura

    14 Jun 2026

    2115 Impressions

    2 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-3000 A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function torch.jit.script. The manipulation leads to memory corruption. It is p… https://t.co/E6NpeLIaMy

    @CVEnew

    31 Mar 2025

    247 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.CVE-2026-4538
  2. PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.CVE-2026-24747
  3. An issue was discovered in PyTorch v2.5 and v2.7.1. Omission of profiler.stop() can cause torch.profiler.profile (PythonTracer) to crash or hang during finalization, leading to a Denial of Service (DoS).CVE-2025-63396
  4. An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor.CVE-2025-55560
  5. pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long().CVE-2025-55554

References

Sources include official advisories and independent security research.