HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47747Published Modified CNA GitHub_M

CVE-2026-47747: stable-diffusion.cpp has a Heap-based Buffer Overflow

stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by only loading .ckpt checkpoint files from trusted sources and preferring trusted model sources and safer formats such as .safetensors where possible.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in stable-diffusion.cpp affects the pickle .ckpt file parser in src/model.cpp. The vulnerability is triggered locally when a user opens a crafted .ckpt checkpoint file, requiring no authentication but needing user interaction to load the file. Successful exploitation causes heap corruption that gives an attacker full read access, write access, and the ability to crash or take control of the process. No fix version has been published to a package registry yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a release is tagged.

HarborGuard Coverage

Detection

Detection of CVE-2026-47747 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle stable-diffusion.cpp. Coverage applies to both pre-built and internally compiled variants of the library.

Available
Triage

Triage capability is available with the CVSS v3.1 base score of 7.8 (HIGH), weighted against each customer organization's compliance policy to determine ticket priority and severity tier. Routing to the appropriate team inbox within each customer org is handled automatically based on policy configuration.

Available
Patch

Because no fix version has been published yet, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a stable release is tagged upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing service exposure is required.

  • AuthenticationNot required

    No account or credential is required to supply a malicious .ckpt file to the vulnerable parser.

  • Victim interactionRequired

    A user must open or load a crafted .ckpt checkpoint file, making social engineering (e.g. distributing a malicious model file) the delivery mechanism.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the malicious file is loaded; no race conditions or special memory layout assumptions are needed.

Blast Radius

  • Reads arbitrary heap memory, exposing in-process data such as model weights, intermediate tensors, and any secrets held in process memory.
  • Overwrites heap structures with attacker-controlled bytes, allowing modification of application state or persistent data written after the corruption.
  • Crashes the host process immediately due to heap corruption, taking down any service or pipeline stage running the library.
  • In environments where the process runs with elevated permissions, heap control may be escalated to arbitrary code execution within that security context.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been published, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment a release is tagged. In the interim, compensating controls available to all customers include network-policy isolation to limit which workloads can receive external model files, egress filtering to restrict model downloads to approved registries, and feature-flag or admission-control gating to block .ckpt file ingestion in favor of .safetensors format where the runtime supports it. For customers with auto-remediation enabled, the full rebuild, regression test run, and PR flow against affected workloads will trigger automatically once the upstream fix is available, with no manual steps required.

See how HarborGuard automates this
Affected packages
  • leejet / stable-diffusion.cpp
    < master-584-0a7ae07
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References