CVE-2025-2148
PyTorch Tuple Handler is Vulnerable to Memory Corruption through Manipulation of None Argument
7.5
HIGH
CVSS 3.1
EPSS 0.08%
Description
A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.
How to fix CVE-2025-2148
To remediate CVE-2025-2148, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.0 or later
- —no fix listed
- —no fix listed
- —no fix listed
Is CVE-2025-2148 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 2.6.0, < 2.7.0
- from 0
- from 0, <= 2.6.0
- from 0, <= 2.6.0-cu124
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |