torch-2.8.0-cp310-none-macosx_11_0_arm64.whl: 8 vulnerabilities (highest severity is: 8.8) #57
Description
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (torch version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-24747 |  High |
8.8 | torch-2.8.0-cp310-none-macosx_11_0_arm64.whl | Direct | 2.10.0 | ❌ |
| CVE-2025-55551 | High |
7.5 | torch-2.8.0-cp310-none-macosx_11_0_arm64.whl | Direct | 2.9.0 | ❌ |
| CVE-2026-4538 |  Medium |
5.3 | torch-2.8.0-cp310-none-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-55552 | Medium |
5.3 | torch-2.8.0-cp310-none-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-3001 | Medium |
5.3 | torch-2.8.0-cp310-none-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-2999 | Medium |
5.3 | torch-2.8.0-cp310-none-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-2998 | Medium |
5.3 | torch-2.8.0-cp310-none-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
| CVE-2025-63396 |  Low |
3.3 | torch-2.8.0-cp310-none-macosx_11_0_arm64.whl | Direct | N/A | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-24747
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ torch-2.8.0-cp310-none-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's "weights_only" unpickler allows an attacker to craft a malicious checkpoint file (".pth") that, when loaded with "torch.load(..., weights_only=True)", can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
Publish Date: 2026-01-27
URL: CVE-2026-24747
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-27
Fix Resolution: 2.10.0
Step up your Open Source Security Game with Mend here
CVE-2025-55551
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ torch-2.8.0-cp310-none-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation.
Publish Date: 2025-09-25
URL: CVE-2025-55551
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-25
Fix Resolution: 2.9.0
Step up your Open Source Security Game with Mend here
CVE-2026-4538
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ torch-2.8.0-cp310-none-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.
Publish Date: 2026-03-22
URL: CVE-2026-4538
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2025-55552
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ torch-2.8.0-cp310-none-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together.
Publish Date: 2025-09-25
URL: CVE-2025-55552
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2025-3001
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ torch-2.8.0-cp310-none-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
A vulnerability classified as critical was found in PyTorch 2.6.0. This vulnerability affects the function torch.lstm_cell. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
Publish Date: 2025-03-31
URL: CVE-2025-3001
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2025-2999
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ torch-2.8.0-cp310-none-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
A vulnerability was found in PyTorch 2.6.0. It has been rated as critical. Affected by this issue is the function torch.nn.utils.rnn.unpack_sequence. The manipulation leads to memory corruption. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
Publish Date: 2025-03-31
URL: CVE-2025-2999
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2025-2998
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ torch-2.8.0-cp310-none-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
A vulnerability was found in PyTorch 2.6.0. It has been declared as critical. Affected by this vulnerability is the function torch.nn.utils.rnn.pad_packed_sequence. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
Publish Date: 2025-03-31
URL: CVE-2025-2998
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2025-63396
Vulnerable Library - torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/ef/d6/e6d4c57e61c2b2175d3aafbfb779926a2cfd7c32eeda7c543925dceec923/torch-2.8.0-cp310-none-macosx_11_0_arm64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/11/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/13/torch-2.8.0-cp39-cp39-manylinux_2_28_x86_64.whl
Dependency Hierarchy:
- ❌ torch-2.8.0-cp310-none-macosx_11_0_arm64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
An issue was discovered in PyTorch v2.5 and v2.7.1. Omission of profiler.stop() can cause torch.profiler.profile (PythonTracer) to crash or hang during finalization, leading to a Denial of Service (DoS).
Publish Date: 2025-11-12
URL: CVE-2025-63396
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Step up your Open Source Security Game with Mend here