CVE-2024-31584
Out-of-bounds Read vulnerability in torch (PyPI)
What is CVE-2024-31584 About?
An Out-of-bounds Read vulnerability exists in Pytorch before v2.2.0, specifically within the `torch/csrc/jit/mobile/flatbuffer_loader.cpp` component. This flaw could lead to information disclosure or crashes due to improper memory access. Exploitation generally requires specific input crafted to trigger the out-of-bounds condition, making it moderately difficult to exploit.
Affected Software
- torch
- <2.2.0
- <7c35874ad664e74c8e4252d67521f3986eadb0e6
Technical Details
The vulnerability stems from an Out-of-bounds Read within the torch/csrc/jit/mobile/flatbuffer_loader.cpp component of Pytorch. This means that during the processing or loading of FlatBuffer data, the software attempts to read data from a memory location that is outside the bounds of the allocated buffer. This can occur if input data or internal pointers are not correctly validated or constrained, leading to an attempt to access invalid memory. Such an operation can result in the disclosure of sensitive information from adjacent memory regions or trigger a denial-of-service condition due to a program crash.
What is the Impact of CVE-2024-31584?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to system instability or crashes, or potentially disclose sensitive information from memory.
What is the Exploitability of CVE-2024-31584?
Exploitation of this Out-of-bounds Read vulnerability typically requires a deep understanding of the Pytorch internal memory management and the flatbuffer_loader.cpp component. Prerequisites involve crafting specific input data or FlatBuffer structures that can cause the out-of-bounds memory access. Authentication is not directly required as the vulnerability likely resides in data processing, but an attacker would need a method to supply malicious input to the affected component. This is likely a local or logical attack, requiring the attacker to interact with the Pytorch application directly or supply it with malformed data. The complexity is moderate, as it involves precise memory manipulation, and the potential risk increases if user-controlled data is routinely processed by the vulnerable component without robust validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-31584?
Available Upgrade Options
- torch
- <7c35874ad664e74c8e4252d67521f3986eadb0e6 → Upgrade to 7c35874ad664e74c8e4252d67521f3986eadb0e6
- torch
- <2.2.0 → Upgrade to 2.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6
- https://osv.dev/vulnerability/PYSEC-2024-250
- https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6
- https://github.com/pytorch/pytorch/blob/v2.1.2/torch/csrc/jit/mobile/flatbuffer_loader.cpp#L305
- https://github.com/pytorch/pytorch/blob/v2.1.2/torch/csrc/jit/mobile/flatbuffer_loader.cpp#L305
What are Similar Vulnerabilities to CVE-2024-31584?
Similar Vulnerabilities: CVE-2023-38408 , CVE-2023-45869 , CVE-2023-40545 , CVE-2022-47528 , CVE-2022-42898
