CVE-2025-46148 in PyTorch
Summary
by MITRE • 09/25/2025
In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2025-46148 affects PyTorch versions through 2.6.0 and specifically impacts the nn.PairwiseDistance layer when operating in eager mode. This issue represents a critical mathematical error in the computation of pairwise distances, which fundamentally alters the behavior of machine learning models that rely on this functionality. The flaw manifests when the p=2 parameter is used, which corresponds to the Euclidean distance calculation, a commonly employed metric in neural network architectures for similarity measurements and clustering operations.
The technical root cause of this vulnerability lies in the improper implementation of the pairwise distance computation algorithm within the nn.PairwiseDistance module. When eager execution mode is enabled, the system fails to correctly process the mathematical operations required for computing Euclidean distances between input tensors. This results in incorrect numerical outputs that can significantly impact model training and inference accuracy. The error typically occurs during forward passes through neural networks where pairwise distance calculations are utilized, potentially causing downstream components to receive malformed data that leads to cascading computational errors.
The operational impact of this vulnerability extends beyond simple mathematical inaccuracies to potentially compromise entire machine learning workflows. Models that depend on accurate distance computations for tasks such as clustering, similarity matching, or metric learning may produce fundamentally flawed results, leading to incorrect classifications or predictions. This vulnerability particularly affects applications in computer vision, natural language processing, and recommendation systems where pairwise distance metrics are integral to model performance. The issue becomes more pronounced when models are trained using datasets where distance calculations are critical for learning proper representations, as the training process may converge to suboptimal solutions or fail entirely.
Organizations and developers utilizing PyTorch for machine learning applications should immediately assess their codebases for usage of nn.PairwiseDistance with p=2 parameter in eager execution mode. The vulnerability aligns with CWE-248, an unspecified weakness in the execution of programs, and may contribute to broader categories of software faults that affect machine learning systems. From an attack surface perspective, this vulnerability could be exploited by adversaries seeking to manipulate model outputs through carefully crafted inputs that amplify the mathematical errors. The ATT&CK framework categorizes this under software integrity compromises where adversaries may modify or corrupt software components to achieve unauthorized behavior. Mitigation strategies should include immediate upgrading to PyTorch versions that address this vulnerability, thorough testing of affected models, and implementation of additional validation checks for distance computations in critical workflows.