How is CVE-2026-53875 exploited?

Network reachability (required): The attacker must deliver the crafted PyTorch file over the network, for example by hosting it on a model-sharing platform or a package feed the victim fetches from. Authentication (not-required): No account or credentials are needed to publish or distribute the malicious payload. Victim interaction (required): A user or automated pipeline must actively load the crafted file with torch.load(), making the attack dependent on social engineering or supply-chain poisoning to trigger execution. Attack complexity (info): The exploit is reliable and condition-free once the payload is delivered; no race conditions or specific memory layout is required.

What is the impact of CVE-2026-53875?

The attacker achieves arbitrary code execution in the process that calls torch.load(), with the same privileges as the loading application or ML pipeline worker. Any model-loading workflow that relies on picklescan as a security gate is silently bypassed, meaning subsequent malicious payloads can also execute without triggering alerts. Integrity of the host environment is fully compromised: the attacker can write files, install backdoors, or pivot to other services reachable from that process.

Back to search

HIGHCVE-2026-53875Published 2026-06-17Modified 2026-06-17CNA VulnCheck

CVE-2026-53875: picklescan - Scanning Bypass via Dynamic Eval in scan_pytorch

picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable, enabling arbitrary code execution when loaded with torch.load().

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 1.0.3
Affected Products: 1

HarborGuard Analysis

Synopsis

A scanning-bypass vulnerability in picklescan (versions before 1.0.3) allows an attacker to craft a malicious PyTorch model file that slips past picklescan's detection logic. The attack is network-reachable, requires no authentication, and needs a user to load the crafted file. Successful exploitation results in arbitrary code execution when the payload is loaded with torch.load(). A patched-image rebuild at version 1.0.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle picklescan as a dependency.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v4.0 vector and weights findings against each environment's compliance policy before routing alerts to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at picklescan 1.0.3 becomes available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver the crafted PyTorch file over the network, for example by hosting it on a model-sharing platform or a package feed the victim fetches from.
AuthenticationNot required
No account or credentials are needed to publish or distribute the malicious payload.
Victim interactionRequired
A user or automated pipeline must actively load the crafted file with torch.load(), making the attack dependent on social engineering or supply-chain poisoning to trigger execution.
Attack complexityDetail
The exploit is reliable and condition-free once the payload is delivered; no race conditions or specific memory layout is required.

Blast Radius

The attacker achieves arbitrary code execution in the process that calls torch.load(), with the same privileges as the loading application or ML pipeline worker.
Any model-loading workflow that relies on picklescan as a security gate is silently bypassed, meaning subsequent malicious payloads can also execute without triggering alerts.
Integrity of the host environment is fully compromised: the attacker can write files, install backdoors, or pivot to other services reachable from that process.

How HarborGuard Handles This

Available on HarborGuard: any image containing picklescan below 1.0.3 is flagged as soon as the CVE feed is ingested. For customers with auto-remediation enabled, HarborGuard rebuilds the image at picklescan 1.0.3, runs a regression test pass, and opens a pull request against affected workloads. For HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and diff are staged and waiting for sign-off. Because this vulnerability specifically undermines a security scanning tool rather than a runtime service, customers should also audit any pipeline that uses picklescan as a gate and treat all PyTorch model files loaded before the patch as untrusted until verified through an updated scan.

See how HarborGuard automates this

Fix available

1.0.3

Patch commits

Affected packages

picklescan / picklescan
< 1.0.3 (from 0)
Fixed in 1.0.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available