Security context
Medium· 5.3PYSEC-2025-198 CVE-2025-46148Published Sep 25, 2025

In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results.

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.7.0

Details

In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results.

The fix

Update

Isuru Fernando· May 6, 2025, 09:15 PM+7450a3568ba9
test/inductor/test_indexing.py+7 0
@@ -205,6 +205,13 @@ def test_modular_indexing_pairs_not_merged(self):
self.assertEqual(expr2, actual)
self.assertNotEqual(ModularIndexing(x, 1, b), actual)
+ def test_modular_indexing_positive(self):
+ x = sympy.Symbol("x", integer=True, positive=True)
+ expr = ModularIndexing(x, 1, 1024) - 1
+ expr2 = abs(expr)
+
+ self.assertNotEqual(expr2, expr)
+
def test_expand_floor_div_skipped(self):
sizevars = SizeVarAllocator()
x = sympy.Symbol("x", integer=True, positive=True)
torch/utils/_sympy/functions.py+0 4
@@ -363,10 +363,6 @@ def _eval_is_nonnegative(self) -> Optional[bool]:
p, q = self.args[:2]
return fuzzy_eq(p.is_nonnegative, q.is_nonnegative) # type: ignore[attr-defined]
- def _eval_is_positive(self) -> Optional[bool]:
- p, q = self.args[:2]
- return fuzzy_eq(p.is_positive, q.is_positive) # type: ignore[attr-defined]
-
class Where(sympy.Function):
"""

References