CVE-2025-30404 – An integer overflow vulnerability in ExecuTorch... (How to Fix)

Q: What is the severity of CVE-2025-30404?

CVE-2025-30404 has a CVSS score of 9.8 (CRITICAL). An integer overflow vulnerability in ExecuTorch's model loading functionality can cause overlapping memory allocations, potentially leading to arbitrary code execution. This affects all systems using ExecuTorch models prior to the patched commit. Attackers could exploit this to execute malicious code with the privileges of the ExecuTorch process.

📋 TL;DR

An integer overflow vulnerability in ExecuTorch's model loading functionality can cause overlapping memory allocations, potentially leading to arbitrary code execution. This affects all systems using ExecuTorch models prior to the patched commit. Attackers could exploit this to execute malicious code with the privileges of the ExecuTorch process.

💻 Affected Systems

Products:

ExecuTorch

Versions: All versions prior to commit d158236b1dc84539c1b16843bc74054c9dcba006

Operating Systems: All platforms running ExecuTorch

Default Config Vulnerable: ⚠️ Yes

Notes: Any application loading ExecuTorch models is vulnerable regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unpredictable behavior.

🟢

If Mitigated

Limited impact if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires loading a malicious ExecuTorch model file, which could be delivered via various vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit d158236b1dc84539c1b16843bc74054c9dcba006 or later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2025-30404

Restart Required: Yes

Instructions:

1. Update ExecuTorch to commit d158236b1dc84539c1b16843bc74054c9dcba006 or later. 2. Rebuild any applications using ExecuTorch. 3. Restart affected services.

🔧 Temporary Workarounds

Model validation

all

Implement strict validation of ExecuTorch model files before loading

Sandbox execution

all

Run ExecuTorch processes in isolated containers or sandboxes

🧯 If You Can't Patch

Restrict loading of untrusted ExecuTorch model files
Implement network segmentation to limit exposure of vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check ExecuTorch git commit hash; if earlier than d158236b1dc84539c1b16843bc74054c9dcba006, you are vulnerable.

Check Version:

git log --oneline -1

Verify Fix Applied:

Confirm ExecuTorch is at commit d158236b1dc84539c1b16843bc74054c9dcba006 or later.

📡 Detection & Monitoring

Log Indicators:

Memory allocation errors
Process crashes when loading models
Unexpected process termination

Network Indicators:

Unexpected model file downloads
Suspicious file transfers to ExecuTorch services

SIEM Query:

process:executorch AND (event:crash OR event:memory_error)

📊 Metadata

CVE ID: CVE-2025-30404

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

EPSS Score: 0.1% exploit probability (27.9th percentile)

Published: August 7, 2025

Last Updated: August 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30404, you might also want to check these: