UBUNTU-CVE-2026-4538

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-4538

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4538.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-4538

Upstream

CVE-2026-4538

Published

2026-03-22T05:16:00Z

Modified

2026-05-20T16:26:09.880441110Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
1.9 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

References

Affected packages

Ubuntu:22.04:LTS / pytorch

Package

Name: pytorch
Purl: pkg:deb/ubuntu/pytorch?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.1-7

1.8.1-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libtorch-test",
            "binary_version": "1.8.1-4"
        },
        {
            "binary_name": "libtorch1.8",
            "binary_version": "1.8.1-4"
        },
        {
            "binary_name": "python3-torch",
            "binary_version": "1.8.1-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4538.json"

Ubuntu:25.10 / pytorch

Package

Name: pytorch
Purl: pkg:deb/ubuntu/pytorch?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6.0+dfsg-5build1

2.6.0+dfsg-7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libtorch-test",
            "binary_version": "2.6.0+dfsg-7"
        },
        {
            "binary_name": "libtorch2.6",
            "binary_version": "2.6.0+dfsg-7"
        },
        {
            "binary_name": "python3-torch",
            "binary_version": "2.6.0+dfsg-7"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4538.json"

Ubuntu:26.04:LTS / pytorch

Package

Name: pytorch
Purl: pkg:deb/ubuntu/pytorch?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6.0+dfsg-7

2.6.0+dfsg-9

2.9.1+dfsg-1~exp1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libtorch-test",
            "binary_version": "2.9.1+dfsg-1~exp1ubuntu2"
        },
        {
            "binary_name": "libtorch2.9",
            "binary_version": "2.9.1+dfsg-1~exp1ubuntu2"
        },
        {
            "binary_name": "python3-torch",
            "binary_version": "2.9.1+dfsg-1~exp1ubuntu2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-4538.json"