Login Sign Up

CVE-2025-55552

7.5 HIGH

📋 TL;DR

CVE-2025-55552 is an integer overflow vulnerability in PyTorch v2.8.0 that occurs when torch.rot90 and torch.randn_like functions are used together, potentially causing memory corruption or crashes. This affects any application or system using PyTorch v2.8.0 for machine learning workloads.

💻 Affected Systems

Products:
  • PyTorch
Versions: v2.8.0 only
Operating Systems: All platforms running PyTorch
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when torch.rot90 and torch.randn_like are used together in specific ways. Other PyTorch versions are not affected.

📦 What is this software?

Pytorch by Linuxfoundation

View all CVEs affecting Pytorch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities, or denial of service causing critical ML inference failures.

🟠

Likely Case

Application crashes or unexpected behavior during tensor operations, disrupting ML model training or inference pipelines.

🟢

If Mitigated

Controlled crashes with proper error handling, minimal data loss if operations are sandboxed.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific API calls with vulnerable functions, but ML services exposed via web APIs could be targeted.
🏢 Internal Only: MEDIUM - Internal ML training pipelines and inference servers are vulnerable if using affected code patterns.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Proof of concept demonstrates crash but not full exploitation. Requires specific function calls within application code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.8.1 or later

Vendor Advisory: https://github.com/pytorch/pytorch/issues/147847

Restart Required: No

Instructions:

1. Update PyTorch: pip install torch==2.8.1 2. Verify installation: python -c 'import torch; print(torch.__version__)' 3. Test affected code patterns.

🔧 Temporary Workarounds

Avoid vulnerable function combination

all

Refactor code to avoid using torch.rot90 and torch.randn_like together

# Review code for patterns like: torch.rot90(torch.randn_like(...))
# Replace with alternative tensor operations

🧯 If You Can't Patch

  • Implement input validation and sanitization for tensor operations
  • Run PyTorch in isolated containers with resource limits to contain crashes

🔍 How to Verify

Check if Vulnerable:

Check if code uses torch.rot90 with torch.randn_like. Test with sample inputs to see if crashes occur.

Check Version:

python -c 'import torch; print(torch.__version__)'

Verify Fix Applied:

After updating, test previously crashing code patterns to ensure normal operation.

📡 Detection & Monitoring

Log Indicators:

  • PyTorch segmentation faults
  • Python process crashes during tensor operations
  • Error messages mentioning rot90 or randn_like

Network Indicators:

  • Unusual ML API response patterns
  • Increased error rates in inference services

SIEM Query:

process_name:python AND (event_type:crash OR error_message:*rot90* OR error_message:*randn_like*)

📊 Metadata

CVE ID: CVE-2025-55552
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-190
EPSS Score: 0.09% exploit probability (25.4th percentile)
Published: September 25, 2025
Last Updated: October 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55552, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)