CVE-2025-2148: PyTorch Tuple Handler is Vulnerable to Memory Corruption through Manipulation of None Argument
(updated )
A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.
References
- github.com/advisories/GHSA-c678-jfcj-6jmf
- github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2025-189.yaml
- github.com/pytorch/pytorch/blob/b0a67c7495bb11ecb23e556058db059ba48354af/torch/autograd/profiler.py
- github.com/pytorch/pytorch/issues/147722
- nvd.nist.gov/vuln/detail/CVE-2025-2148
- vuldb.com/?ctiid.299059
- vuldb.com/?id.299059
- vuldb.com/?submit.505959
Code Behaviors & Features
Detect and mitigate CVE-2025-2148 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →