PyTorch is vulnerable to memory corruption through its unpack_sequence function
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
Details
A vulnerability was found in PyTorch 2.6.0. It has been rated as critical. Affected by this issue is the function torch.nn.utils.rnn.unpack_sequence. The manipulation leads to memory corruption. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. A patch is available through commit [4945180](https://github.com/pytorch/pytorch/commit/494518046816d29099b7d056a74ffa5c244fdcdd).
The fix
Add empty tensor check for `_pad_packed_sequence` (#167521)
aten/src/ATen/native/PackedSequence.cpp+1 −0
@@ -142,6 +142,7 @@ Tensor _pack_padded_sequence_backward_symint(const Tensor& grad, c10::SymIntArrastd::tuple<Tensor, Tensor> _pad_packed_sequence(const Tensor& data, const Tensor& _batch_sizes, bool batch_first, const Scalar& padding_value, int64_t total_length) {auto batch_sizes_t = _batch_sizes.contiguous();checkLongTensor(batch_sizes_t);+TORCH_CHECK(batch_sizes_t.numel() > 0, "batch_sizes can not be empty");int64_t * batch_sizes = batch_sizes_t.data_ptr<int64_t>();int64_t max_batch_size = batch_sizes[0];
test/nn/test_packed_sequence.py+30 −0
@@ -492,6 +492,36 @@ def pad(tensor, length):torch.randn([0, 1, 10]), torch.randn([11, 14, 14, 2]), True)+def test_empty_packed_sequence(self):+"""+Regression test for https://github.com/pytorch/pytorch/issues/149622+Tests that pad_packed_sequence and unpack_sequence handle empty tensors+without segmentation fault (CVE-2025-2998, CVE-2025-2999)+"""+# Test case 1: pad_packed_sequence with empty tensors+# Previously caused segmentation fault+empty_data = torch.randn(0, 5)+empty_batch_sizes = torch.tensor([], dtype=torch.int64)+empty_packed = rnn_utils.PackedSequence(+empty_data, empty_batch_sizes, None, None+)++# Should not crash - either return empty result or raise informative error+with self.assertRaises(RuntimeError):+rnn_utils.pad_packed_sequence(empty_packed, batch_first=True)++# Test case 2: unpack_sequence with empty tensors+# Previously caused segmentation fault+empty_data = torch.tensor([])+empty_batch_sizes = torch.tensor([], dtype=torch.int64)+packed = rnn_utils.PackedSequence(+data=empty_data, batch_sizes=empty_batch_sizes+)++# Should not crash - either return empty list or raise informative error+with self.assertRaises(RuntimeError):+rnn_utils.unpack_sequence(packed)+if __name__ == "__main__":run_tests()
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-2999
- WEBhttps://github.com/pytorch/pytorch/issues/149622
- WEBhttps://github.com/pytorch/pytorch/issues/149622#issue-2935495265
- WEBhttps://github.com/pytorch/pytorch/commit/494518046816d29099b7d056a74ffa5c244fdcdd
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2025-193.yaml
- PACKAGEhttps://github.com/pytorch/pytorch
- WEBhttps://vuldb.com/?ctiid.302048
- WEBhttps://vuldb.com/?id.302048
- WEBhttps://vuldb.com/?submit.524198