CVE-2025-2999:A local memory corruption vulnerability in PyTorch 2.6.0 affecting torch.nn.utils.rnn.unpack_sequence, which could be exploited by manipulating input data; the issue has been disclosed publicly and is considered critical in the advisory.

splash
Back

Description Preview

A vulnerability was found in PyTorch 2.6.0 affecting the function torch.nn.utils.rnn.unpack_sequence. The flaw can lead to memory corruption when the function processes manipulated input data. Local access is required to exploit this issue, and the exploit has been disclosed publicly, meaning it may be used by attackers. The advisory lists the issue with multiple CVSS assessments, indicating a medium to high impact depending on metrics, and highlights the potential for instability or crash due to memory corruption.

Overview

This CVE describes a local memory corruption vulnerability in PyTorch 2.6.0 within the torch.nn.utils.rnn.unpack_sequence function. By feeding carefully crafted input data, an attacker with local access could trigger memory corruption, potentially causing crashes or unpredictable behavior in affected environments. The vulnerability has been publicly disclosed, and is classified with a mixed severity across CVSS metrics, underscoring the need for timely remediation in environments that rely on this PyTorch release.

Remediation

  1. Upgrade PyTorch to the latest patched release that fixes CVE-2025-2999. Check official PyTorch security advisories or the CVE entry for the exact fixed version and apply it across all affected systems.
  2. If upgrading immediately is not possible, restrict access to components using torch.nn.utils.rnn.unpack_sequence and isolate these workloads in trusted environments or containers to limit exposure to untrusted data.
  3. Validate and sanitize input data before it reaches the affected function, and minimize the use of the function with data from untrusted sources.
  4. Apply defense-in-depth measures such as containerization, least-privilege execution, and memory-protection features where feasible; consider enabling memory-safety checks (e.g., ASAN/UBSan) in development and CI pipelines to catch memory-corruption issues.
  5. After applying the fix, run regression and security validation tests to confirm the vulnerability is mitigated and monitor official advisories for any additional guidance or patches.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Finance and Insurance: Low
    Finance and Insurance
  2. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  3. Manufacturing: Low
    Manufacturing
  4. Transportation & Warehousing: Low
    Transportation & Warehousing
  5. Accommodation & Food Services: Low
    Accommodation & Food Services
  6. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  7. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  8. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  9. Construction: Low
    Construction
  10. Educational Services: Low
    Educational Services
  11. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  12. Information: Low
    Information
  13. Mining: Low
    Mining
  14. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  15. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  16. Public Administration: Low
    Public Administration
  17. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  18. Retail Trade: Low
    Retail Trade
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background