How is CVE-2026-47750 exploited?

Network reachability (not-required): The attacker does not need network access to the target system; they only need the victim to load a malicious .ckpt file, which can be delivered out-of-band (for example, via a model-sharing site download). Authentication (not-required): No account or credential on the target system is required; the vulnerability is triggered entirely through the act of loading a crafted file. Victim interaction (required): The victim or application must actively load a crafted .ckpt checkpoint file from an untrusted source, making social engineering (for example, pointing a user to a malicious model download) a prerequisite. Attack complexity (info): Attack complexity is low, meaning the overflow is reliably triggered by the malformed input without requiring specific memory layouts, race conditions, or other environmental conditions.

What is the impact of CVE-2026-47750?

Heap memory is corrupted immediately upon parsing the malformed GLOBAL opcode, giving the attacker a primitive to overwrite adjacent heap allocations. An attacker can read process memory contents, exposing in-memory data such as loaded model weights, API keys, or intermediate inference results. An attacker can write arbitrary data into heap regions, modifying application state or persisted outputs produced by the inference process. The corrupted heap state causes the process to crash or, in a worst-case exploit chain, allows the attacker to redirect execution flow and run arbitrary code under the process's privileges.

Back to search

HIGHCVE-2026-47750Published 2026-06-16Modified 2026-06-16CNA GitHub_M

CVE-2026-47750: stable-diffusion.cpp: Heap buffer overflow in GLOBAL opcode parsing for PyTorch checkpoint files

stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the GLOBAL opcode handler. The issue was caused by missing validation when searching for newline-delimited fields. A crafted .ckpt file without the expected newline could cause the parser to use -1 as a copy length, resulting in immediate heap corruption. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by following these instructions: do not load .ckpt checkpoint files from untrusted sources, and prefer trusted model sources and safer formats such as .safetensors where possible.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap buffer overflow vulnerability exists in the GLOBAL opcode handler of the pickle .ckpt parser in stable-diffusion.cpp, a C/C++ library for running diffusion model inference. The flaw is triggered locally when a user or application loads a crafted .ckpt checkpoint file from an untrusted source, such as a model downloaded from a model-sharing site; no network exposure or authentication is required beyond tricking the victim into opening the file. Successful exploitation corrupts heap memory and gives an attacker full read, write, and execution capability over the affected process. No fix version has been published upstream; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-47750 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle stable-diffusion.cpp. Any image containing an affected version of the library is flagged automatically during both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 vector and surfaces it through each customer's per-environment compliance policy weighting, ensuring it is prioritized appropriately for workloads that handle user-supplied model files. Triage alerts are routed to the team inboxes configured in each customer org, so the right engineers see the finding without manual sorting.

Available

Patch

Because no upstream fix version has been published for stable-diffusion.cpp, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix commit is tagged or released. For customers who opt into auto-remediation, a rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker does not need network access to the target system; they only need the victim to load a malicious .ckpt file, which can be delivered out-of-band (for example, via a model-sharing site download).
AuthenticationNot required
No account or credential on the target system is required; the vulnerability is triggered entirely through the act of loading a crafted file.
Victim interactionRequired
The victim or application must actively load a crafted .ckpt checkpoint file from an untrusted source, making social engineering (for example, pointing a user to a malicious model download) a prerequisite.
Attack complexityDetail
Attack complexity is low, meaning the overflow is reliably triggered by the malformed input without requiring specific memory layouts, race conditions, or other environmental conditions.

Blast Radius

Heap memory is corrupted immediately upon parsing the malformed GLOBAL opcode, giving the attacker a primitive to overwrite adjacent heap allocations.
An attacker can read process memory contents, exposing in-memory data such as loaded model weights, API keys, or intermediate inference results.
An attacker can write arbitrary data into heap regions, modifying application state or persisted outputs produced by the inference process.
The corrupted heap state causes the process to crash or, in a worst-case exploit chain, allows the attacker to redirect execution flow and run arbitrary code under the process's privileges.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-47750 has been published, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild the moment leejet/stable-diffusion.cpp ships a fix. In the interim, customers can apply compensating controls directly in HarborGuard: use network-policy isolation to restrict which services are permitted to fetch external .ckpt files, apply egress filtering rules to block downloads from untrusted model repositories, and consider gating .ckpt loading behind a feature flag in affected container images while switching to the .safetensors format where operationally feasible. For customers who opt into auto-remediation, HarborGuard will automatically rebuild affected images, run regression tests, and open a PR against affected workloads as soon as the upstream fix is published, with median time from CVE patch publication to merged PR for high-severity issues around 90 minutes.

See how HarborGuard automates this

Affected packages

leejet / stable-diffusion.cpp
< master-584-0a7ae07

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified