{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pytorch-lightning-through-2.6.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-58659"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PyTorch Lightning (through 2.6.5)"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","vulnerability","python","pytorch"],"_cs_type":"advisory","_cs_vendors":["Lightning-AI"],"content_html":"\u003cp\u003eA critical remote code execution (RCE) vulnerability, tracked as CVE-2026-58659, has been identified in PyTorch Lightning versions up to and including 2.6.5. This flaw resides within the \u003ccode\u003e_load_state\u003c/code\u003e function, which is responsible for loading model states from checkpoint files. Attackers can exploit this by crafting malicious checkpoint files containing specially crafted \u003ccode\u003e_instantiator\u003c/code\u003e hyperparameters. When a victim or automated process loads such a malicious file using \u003ccode\u003eLightningModule.load_from_checkpoint()\u003c/code\u003e, the \u003ccode\u003e_load_state\u003c/code\u003e function improperly imports and executes attacker-controlled module names, leading to arbitrary code execution. This bypasses the \u003ccode\u003eweights_only=True\u003c/code\u003e protection, enabling full system compromise. The vulnerability was fixed in commit \u003ccode\u003ed710d68\u003c/code\u003e and was published by NVD on July 15, 2026. This vulnerability has a CVSS v3.1 Base Score of 7.8, indicating a high severity risk for users of affected versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious PyTorch Lightning checkpoint file (\u003ccode\u003e.ckpt\u003c/code\u003e or similar) designed to exploit CVE-2026-58659.\u003c/li\u003e\n\u003cli\u003eThe malicious checkpoint file is embedded with attacker-controlled module names within its \u003ccode\u003e_instantiator\u003c/code\u003e hyperparameters.\u003c/li\u003e\n\u003cli\u003eAttacker delivers the malicious checkpoint file to a victim's system, potentially via email (phishing), untrusted download links, or by compromising a data repository.\u003c/li\u003e\n\u003cli\u003eA user or automated process on the victim's system loads the malicious checkpoint file using the \u003ccode\u003eLightningModule.load_from_checkpoint()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the loading process, the vulnerable \u003ccode\u003e_load_state\u003c/code\u003e function is invoked.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_load_state\u003c/code\u003e function attempts to process the \u003ccode\u003e_instantiator\u003c/code\u003e hyperparameters, importing and executing the attacker-controlled module names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eweights_only=True\u003c/code\u003e protection mechanism within PyTorch Lightning is bypassed due to the nature of this vulnerability.\u003c/li\u003e\n\u003cli\u003eArbitrary code embedded or referenced by the attacker within the malicious checkpoint file is executed on the victim's system, leading to remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-58659 allows an attacker to achieve arbitrary code execution on the system where the malicious PyTorch Lightning checkpoint file is processed. This can lead to a complete compromise of the affected system, allowing attackers to steal sensitive data, install further malware, modify system configurations, or disrupt operations. While no specific victim organizations or sectors are detailed in the advisory, any environment utilizing vulnerable PyTorch Lightning versions for model training or inference, particularly those loading checkpoint files from untrusted sources, is at risk. The direct consequence is a loss of confidentiality, integrity, and availability of the compromised system and potentially connected resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update all PyTorch Lightning installations to a version beyond 2.6.5, incorporating the fix from commit \u003ccode\u003ed710d689510d50e800f53b3cd773cbca20b1f86f\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of loading \u003ccode\u003e.ckpt\u003c/code\u003e or similar PyTorch Lightning checkpoint files from untrusted or unverified sources, as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and validation for PyTorch Lightning checkpoint files, ensuring only trusted and signed models are loaded into production environments.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual process execution or network activity originating from applications loading PyTorch Lightning models, which could indicate arbitrary code execution as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T18:22:57Z","date_published":"2026-07-15T18:22:57Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pytorch-lightning-rce/","summary":"A remote code execution vulnerability, CVE-2026-58659, exists in PyTorch Lightning through version 2.6.5, allowing attackers to craft malicious checkpoint files that execute arbitrary code by exploiting a flaw in the `_load_state` function when `LightningModule.load_from_checkpoint` is called.","title":"Remote Code Execution Vulnerability in PyTorch Lightning via Malicious Checkpoint Files (CVE-2026-58659)","url":"https://feed.craftedsignal.io/briefs/2026-07-pytorch-lightning-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - PyTorch Lightning (Through 2.6.5)","version":"https://jsonfeed.org/version/1.1"}