Remote Code Execution Vulnerability in PyTorch Lightning via Malicious Checkpoint Files (CVE-2026-58659)
A remote code execution vulnerability, CVE-2026-58659, exists in PyTorch Lightning through version 2.6.5, allowing attackers to craft malicious checkpoint files that execute arbitrary code by exploiting a flaw in the `_load_state` function when `LightningModule.load_from_checkpoint` is called.
A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-58659, has been identified in PyTorch Lightning versions up to and including 2.6.5. This flaw resides within the _load_state function, which is responsible for loading model states from checkpoint files. Attackers can exploit this by crafting malicious checkpoint files containing specially crafted _instantiator hyperparameters. When a victim or automated process loads such a malicious file using LightningModule.load_from_checkpoint(), the _load_state function improperly imports and executes attacker-controlled module names, leading to arbitrary code execution. This bypasses the weights_only=True protection, enabling full system compromise. The vulnerability was fixed in commit d710d68 and was published by NVD on July 15, 2026. This vulnerability has a CVSS v3.1 Base Score of 7.8, indicating a high severity risk for users of affected versions.
Attack Chain
- Attacker crafts a malicious PyTorch Lightning checkpoint file (
.ckptor similar) designed to exploit CVE-2026-58659. - The malicious checkpoint file is embedded with attacker-controlled module names within its
_instantiatorhyperparameters. - Attacker delivers the malicious checkpoint file to a victim's system, potentially via email (phishing), untrusted download links, or by compromising a data repository.
- A user or automated process on the victim's system loads the malicious checkpoint file using the
LightningModule.load_from_checkpoint()function. - During the loading process, the vulnerable
_load_statefunction is invoked. - The
_load_statefunction attempts to process the_instantiatorhyperparameters, importing and executing the attacker-controlled module names. - The
weights_only=Trueprotection mechanism within PyTorch Lightning is bypassed due to the nature of this vulnerability. - Arbitrary code embedded or referenced by the attacker within the malicious checkpoint file is executed on the victim's system, leading to remote code execution.
Impact
Successful exploitation of CVE-2026-58659 allows an attacker to achieve arbitrary code execution on the system where the malicious PyTorch Lightning checkpoint file is processed. This can lead to a complete compromise of the affected system, allowing attackers to steal sensitive data, install further malware, modify system configurations, or disrupt operations. While no specific victim organizations or sectors are detailed in the advisory, any environment utilizing vulnerable PyTorch Lightning versions for model training or inference, particularly those loading checkpoint files from untrusted sources, is at risk. The direct consequence is a loss of confidentiality, integrity, and availability of the compromised system and potentially connected resources.
Recommendation
- Immediately update all PyTorch Lightning installations to a version beyond 2.6.5, incorporating the fix from commit
d710d689510d50e800f53b3cd773cbca20b1f86f. - Educate users on the risks of loading
.ckptor similar PyTorch Lightning checkpoint files from untrusted or unverified sources, as described in the attack chain. - Implement strict access controls and validation for PyTorch Lightning checkpoint files, ensuring only trusted and signed models are loaded into production environments.
- Monitor systems for unusual process execution or network activity originating from applications loading PyTorch Lightning models, which could indicate arbitrary code execution as described in the attack chain.
Indicators of compromise
1
hash_sha1
| Type | Value |
|---|---|
| hash_sha1 | d710d689510d50e800f53b3cd773cbca20b1f86f |