CVE-2025-2149
PyTorch: Manipulation of the argument scale/zero_point leads to improper initialization via Quantized Sigmoid Module
2.5
LOW
CVSS 3.1
EPSS 0.05%
Description
A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
How to fix CVE-2025-2149
To remediate CVE-2025-2149, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.0 or later
- —no fix listed
- —no fix listed
- —no fix listed
Is CVE-2025-2149 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 2.6.0, < 2.7.0
- from 0
- from 0, <= 2.6.0
- from 0, <= 2.6.0-cu124
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| osv | CVSS 3.1 | LOW2.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |