CVE-2024-31583 – PyTorch versions before v2.2.0 contain a use-af... (How to Fix)

Q: What is the severity of CVE-2024-31583?

CVE-2024-31583 has a CVSS score of 7.8 (HIGH). PyTorch versions before v2.2.0 contain a use-after-free vulnerability in the mobile interpreter component. This allows attackers to potentially execute arbitrary code or cause denial of service by manipulating freed memory. Users running vulnerable PyTorch versions in production or development environments are affected.

📋 TL;DR

PyTorch versions before v2.2.0 contain a use-after-free vulnerability in the mobile interpreter component. This allows attackers to potentially execute arbitrary code or cause denial of service by manipulating freed memory. Users running vulnerable PyTorch versions in production or development environments are affected.

💻 Affected Systems

Products:

PyTorch

Versions: All versions before v2.2.0

Operating Systems: All platforms running PyTorch

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the mobile interpreter component (torch/csrc/jit/mobile/interpreter.cpp).

📦 What is this software?

Pytorch by Linuxfoundation

View all CVEs affecting Pytorch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash or denial of service affecting machine learning inference pipelines.

🟢

If Mitigated

Limited impact with proper sandboxing and memory protection mechanisms in place.

🌐 Internet-Facing: MEDIUM - Requires specific PyTorch mobile interpreter usage patterns exposed externally.

🏢 Internal Only: MEDIUM - Internal ML pipelines and development environments could be affected.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires control over PyTorch mobile model inputs or interpreter state.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.2.0 and later

Vendor Advisory: https://github.com/pytorch/pytorch/security/advisories

Restart Required: Yes

Instructions:

1. Update PyTorch to v2.2.0 or later using pip: 'pip install --upgrade torch>=2.2.0' 2. Restart all applications using PyTorch. 3. Rebuild any containers or deployments with updated version.

🔧 Temporary Workarounds

Disable mobile interpreter

all

Avoid using PyTorch's mobile interpreter component if not required

Memory hardening

linux

Enable ASLR and other memory protection mechanisms

sysctl -w kernel.randomize_va_space=2

🧯 If You Can't Patch

Isolate PyTorch processes with containerization or sandboxing
Implement strict input validation for PyTorch mobile models

🔍 How to Verify

Check if Vulnerable:

Check PyTorch version: 'python -c "import torch; print(torch.__version__)"' - if version < 2.2.0, vulnerable.

Check Version:

python -c "import torch; print(torch.__version__)"

Verify Fix Applied:

Verify version is >=2.2.0 and test mobile interpreter functionality.

📡 Detection & Monitoring

Log Indicators:

Segmentation faults in PyTorch processes
Unexpected memory access errors
Mobile interpreter crashes

Network Indicators:

Unusual outbound connections from ML inference services

SIEM Query:

source="*pytorch*" AND ("segmentation fault" OR "SIGSEGV" OR "use-after-free")

📊 Metadata

CVE ID: CVE-2024-31583

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: April 17, 2024

Last Updated: June 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31583, you might also want to check these: