Security context
Medium· 5.3GHSA-vgrw-7cvw-pwgx CVE-2025-2999CWE-119Published Mar 31, 2025

PyTorch is vulnerable to memory corruption through its unpack_sequence function

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.9.1

Details

A vulnerability was found in PyTorch 2.6.0. It has been rated as critical. Affected by this issue is the function torch.nn.utils.rnn.unpack_sequence. The manipulation leads to memory corruption. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. A patch is available through commit [4945180](https://github.com/pytorch/pytorch/commit/494518046816d29099b7d056a74ffa5c244fdcdd).

The fix

Add empty tensor check for `_pad_packed_sequence` (#167521)

Nikita Shulga· Nov 11, 2025, 06:49 AM+3104945180468
aten/src/ATen/native/PackedSequence.cpp+1 0
@@ -142,6 +142,7 @@ Tensor _pack_padded_sequence_backward_symint(const Tensor& grad, c10::SymIntArra
std::tuple<Tensor, Tensor> _pad_packed_sequence(const Tensor& data, const Tensor& _batch_sizes, bool batch_first, const Scalar& padding_value, int64_t total_length) {
auto batch_sizes_t = _batch_sizes.contiguous();
checkLongTensor(batch_sizes_t);
+ TORCH_CHECK(batch_sizes_t.numel() > 0, "batch_sizes can not be empty");
int64_t * batch_sizes = batch_sizes_t.data_ptr<int64_t>();
int64_t max_batch_size = batch_sizes[0];
test/nn/test_packed_sequence.py+30 0
@@ -492,6 +492,36 @@ def pad(tensor, length):
torch.randn([0, 1, 10]), torch.randn([11, 14, 14, 2]), True
)
+ def test_empty_packed_sequence(self):
+ """
+ Regression test for https://github.com/pytorch/pytorch/issues/149622
+ Tests that pad_packed_sequence and unpack_sequence handle empty tensors
+ without segmentation fault (CVE-2025-2998, CVE-2025-2999)
+ """
+ # Test case 1: pad_packed_sequence with empty tensors
+ # Previously caused segmentation fault
+ empty_data = torch.randn(0, 5)
+ empty_batch_sizes = torch.tensor([], dtype=torch.int64)
+ empty_packed = rnn_utils.PackedSequence(
+ empty_data, empty_batch_sizes, None, None
+ )
+
+ # Should not crash - either return empty result or raise informative error
+ with self.assertRaises(RuntimeError):
+ rnn_utils.pad_packed_sequence(empty_packed, batch_first=True)
+
+ # Test case 2: unpack_sequence with empty tensors
+ # Previously caused segmentation fault
+ empty_data = torch.tensor([])
+ empty_batch_sizes = torch.tensor([], dtype=torch.int64)
+ packed = rnn_utils.PackedSequence(
+ data=empty_data, batch_sizes=empty_batch_sizes
+ )
+
+ # Should not crash - either return empty list or raise informative error
+ with self.assertRaises(RuntimeError):
+ rnn_utils.unpack_sequence(packed)
+
if __name__ == "__main__":
run_tests()

References