PyTorch is Vulnerable to Memory Consumption through pad_packed_sequence Function
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Details
A vulnerability was found in PyTorch 2.6.0. It has been declared as critical. Affected by this vulnerability is the function torch.nn.utils.rnn.pad_packed_sequence. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
The fix
Add empty tensor check for `_pad_packed_sequence` (#167521)
aten/src/ATen/native/PackedSequence.cpp+1 −0
@@ -142,6 +142,7 @@ Tensor _pack_padded_sequence_backward_symint(const Tensor& grad, c10::SymIntArrastd::tuple<Tensor, Tensor> _pad_packed_sequence(const Tensor& data, const Tensor& _batch_sizes, bool batch_first, const Scalar& padding_value, int64_t total_length) {auto batch_sizes_t = _batch_sizes.contiguous();checkLongTensor(batch_sizes_t);+TORCH_CHECK(batch_sizes_t.numel() > 0, "batch_sizes can not be empty");int64_t * batch_sizes = batch_sizes_t.data_ptr<int64_t>();int64_t max_batch_size = batch_sizes[0];
test/nn/test_packed_sequence.py+30 −0
@@ -492,6 +492,36 @@ def pad(tensor, length):torch.randn([0, 1, 10]), torch.randn([11, 14, 14, 2]), True)+def test_empty_packed_sequence(self):+"""+Regression test for https://github.com/pytorch/pytorch/issues/149622+Tests that pad_packed_sequence and unpack_sequence handle empty tensors+without segmentation fault (CVE-2025-2998, CVE-2025-2999)+"""+# Test case 1: pad_packed_sequence with empty tensors+# Previously caused segmentation fault+empty_data = torch.randn(0, 5)+empty_batch_sizes = torch.tensor([], dtype=torch.int64)+empty_packed = rnn_utils.PackedSequence(+empty_data, empty_batch_sizes, None, None+)++# Should not crash - either return empty result or raise informative error+with self.assertRaises(RuntimeError):+rnn_utils.pad_packed_sequence(empty_packed, batch_first=True)++# Test case 2: unpack_sequence with empty tensors+# Previously caused segmentation fault+empty_data = torch.tensor([])+empty_batch_sizes = torch.tensor([], dtype=torch.int64)+packed = rnn_utils.PackedSequence(+data=empty_data, batch_sizes=empty_batch_sizes+)++# Should not crash - either return empty list or raise informative error+with self.assertRaises(RuntimeError):+rnn_utils.unpack_sequence(packed)+if __name__ == "__main__":run_tests()
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-2998
- WEBhttps://github.com/pytorch/pytorch/issues/149622
- WEBhttps://github.com/pytorch/pytorch/issues/149622#issue-2935495265
- WEBhttps://github.com/pytorch/pytorch/commit/494518046816d29099b7d056a74ffa5c244fdcdd
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2025-192.yaml
- PACKAGEhttps://github.com/pytorch/pytorch
- WEBhttps://vuldb.com/?ctiid.302047
- WEBhttps://vuldb.com/?id.302047
- WEBhttps://vuldb.com/?submit.524151