VIR Vulnerability Intelligence Relay

CVE-2025-2148

unknown
Published 2025-03-10 Β· Modified 2026-05-21
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
β€”

Description

A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.

Predictions

Exploit likelihood
30%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker Β· View original β†— Β· DFSG

CVE-2025-2148 NameCVE-2025-2148 DescriptionA vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather…

CVE-2025-2148

NameCVE-2025-2148
DescriptionA vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1102219

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pytorch (PTS)bullseye1.7.1-7vulnerable
bullseye (security)1.7.1-7+deb11u1vulnerable
bookworm1.13.1+dfsg-4vulnerable
trixie2.6.0+dfsg-7vulnerable
forky, sid2.12.0+dfsg2-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pytorchsource(unstable)(unfixed)1102219

Notes

[trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
https://github.com/pytorch/pytorch/issues/147722

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[trixie] - pytorch <no-dsa> (Minor issue)[bookworm] - pytorch <no-dsa> (Minor issue)[bullseye] - pytorch <postponed> (Minor issue)https://github.com/pytorch/pytorch/issues/147722

OS impact
debian Debian Affected 5 releases
VersionStatusFixed in
trixie Affected β€”
sid Affected β€”
forky Affected β€”
bullseye Affected β€”
bookworm Affected β€”

Package impact
EcosystemPackageVulnerableFixed
python PyPItorch<=2.6.0-cu124

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.