We use cookies to improve your experience on our site.
AVID-2026-R1696
Description
PyTorch nccl.py torch.cuda.nccl.reduce denial of service (CVE-2025-4287)
Details
A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function torch.cuda.nccl.reduce of the file torch/cuda/nccl.py. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The patch is identified as 5827d2061dcb4acd05ac5f8e65d8693a481ba0f5. It is recommended to apply a patch to fix this issue.
Reason for inclusion in AVID: The CVE concerns PyTorch (an AI framework) and its CUDA NCCL usage (torch.cuda.nccl.reduce), causing a denial of service. This directly impacts software used to build/train/deploy AI systems, i.e., the AI stack’s runtime dependencies. The vulnerability is publicly disclosed with affected versions and a patch, indicating clear security risk in the AI software supply chain.
References
- NVD entry
- https://vuldb.com/?id.307394
- https://vuldb.com/?ctiid.307394
- https://vuldb.com/?submit.553644
- https://github.com/pytorch/pytorch/issues/150836
- https://github.com/pytorch/pytorch/pull/150923
- https://github.com/pytorch/pytorch/issues/150836#issue-2979097872
- https://github.com/Divigroup-RAP/PYTORCH/commit/5827d2061dcb4acd05ac5f8e65d8693a481ba0f5
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | PyTorch |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| Base Score | 3.3 |
| Base Severity | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-404 | Denial of Service |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-05-05
- Version: 0.3.3
- AVID Entry