HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47749Published Modified CNA GitHub_M

CVE-2026-47749: stable-diffusion.cpp: Heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files

stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the SHORT_BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. A malicious checkpoint file could cause heap corruption through memcpy with an attacker-controlled length. This may lead to process crash and could potentially be leveraged for code execution depending on heap layout. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by not loading .ckpt checkpoint files from untrusted sources, and referring to trusted model sources and safer formats such as .safetensors where possible.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap buffer overflow vulnerability affects the stable-diffusion.cpp library's PyTorch checkpoint (.ckpt) file parser. The flaw is reached locally when a user or application loads a crafted .ckpt file, with no authentication required but requiring the victim to open the malicious file. Successful exploitation causes heap corruption, crashing the process and potentially enabling arbitrary code execution. No upstream fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-47749 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle stable-diffusion.cpp.

Available
Triage

HarborGuard is capable of scoring this CVE at 7.8 HIGH (CVSS v3.1) against each affected image, weighting the result against per-environment compliance policies, and routing findings to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker does not need network access; they deliver the malicious .ckpt file through other means, and exploitation happens locally on the host that loads it.

  • AuthenticationNot required

    No account or credentials are needed to exploit the flaw; the vulnerability is triggered purely by parsing a crafted file.

  • Victim interactionRequired

    A user or automated process must actively load the malicious .ckpt model file, for example by downloading it from a model-sharing site and passing it to the application.

  • Attack complexityDetail

    Exploit reliability is high under typical conditions, but achieving code execution (beyond a crash) depends on heap layout at the time of the overflow, which varies across environments.

Blast Radius

  • The affected process suffers immediate heap corruption, causing a crash that disrupts any inference workload relying on that service.
  • Depending on heap layout at runtime, an attacker may gain the ability to execute arbitrary code within the process running stable-diffusion.cpp.
  • A successful code-execution scenario gives the attacker full read access to data in that process, including model weights, prompts, and any secrets held in memory.
  • The attacker can also modify or destroy in-memory state, corrupting outputs or persisted artifacts written by the process.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against images containing the affected stable-diffusion.cpp library as soon as it appears in upstream feeds, with no manual configuration required. Because no patched release exists yet, HarborGuard monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a full rebuild-plus-regression-run-plus-PR flow the moment a fix is published. In the interim, teams can apply compensating controls within HarborGuard network policies: isolating inference workloads so they cannot reach untrusted external sources, applying egress filtering to block downloads from arbitrary model-sharing endpoints, and flagging any pipeline step that loads .ckpt files from unverified origins. Switching to the .safetensors format where pipeline configuration allows is also a concrete mitigation that eliminates exposure to the pickle-based parser entirely.

See how HarborGuard automates this
Affected packages
  • leejet / stable-diffusion.cpp
    < master-584-0a7ae07
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References