CVE-2025-2953

PyTorch torch.mkldnn_max_pool2d denial of service

Severity Score

4.8

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The security policy of the project warns to use unknown models which might establish malicious effects.

Eine problematische Schwachstelle wurde in PyTorch 2.6.0+cu124 entdeckt. Es geht hierbei um die Funktion torch.mkldnn_max_pool2d. Dank Manipulation mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Angriff muss lokal passieren. Der Exploit steht zur öffentlichen Verfügung. Bisher konnte die Existenz der vermeintlichen Schwachstelle noch nicht eindeutig nachgewiesen werden.

*Credits: Default436352

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

None

Integrity

None

Availability

Low

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-03-29 CVE Reserved
2025-03-30 CVE Published
2025-04-22 CVE Updated
2025-04-22 First Exploit
2025-06-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-404: Improper Resource Shutdown or Release

CAPEC

References (5)

URL	Tag	Source
https://github.com/pytorch/pytorch/issues/149274	Issue Tracking
https://vuldb.com/?id.302006	Technical Description
https://vuldb.com/?submit.521279	Third Party Advisory
https://github.com/pytorch/pytorch/blob/main/SECURITY.md#untrusted-models	Related

URL	Date	SRC
https://github.com/pytorch/pytorch/issues/149274#issue-2923122269	2025-04-22

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Pytorch Search vendor "Linuxfoundation" for product "Pytorch"				*		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				*		-		Affected