CVE-2025-46150 in PyTorch
Summary
by MITRE • 09/25/2025
In PyTorch before 2.7.0, when torch.compile is used, FractionalMaxPool2d has inconsistent results.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2025-46150 affects PyTorch versions prior to 2.7.0 and specifically impacts the torch.compile functionality when used with FractionalMaxPool2d operations. This issue represents a critical inconsistency in computational behavior that can lead to unpredictable outcomes in machine learning model inference and training processes. The vulnerability manifests when developers utilize the torch.compile optimization feature alongside FractionalMaxPool2d layers, creating a scenario where identical input data may produce different output results across multiple executions or compilation runs.
FractionalMaxPool2d is a pooling operation that applies max pooling with fractional stride sizes, allowing for varying pool sizes that can be beneficial for certain neural network architectures. The inconsistency arises from how torch.compile handles the compilation and optimization of this specific pooling operation, leading to non-deterministic behavior in the computational graph. This issue directly violates fundamental principles of deterministic computation that are essential for reproducible machine learning workflows and model validation processes. The problem becomes particularly severe in production environments where consistent model outputs are critical for maintaining system reliability and trust in automated decision-making processes.
From a cybersecurity perspective, this vulnerability creates potential attack vectors through inconsistent behavior that could be exploited to manipulate model outputs or introduce subtle errors in inference systems. The inconsistency may enable adversaries to craft inputs that produce different results under different compilation scenarios, potentially leading to model evasion or manipulation attacks. According to CWE classification, this vulnerability aligns with CWE-691, which deals with insufficient control of a resource through a mechanism, and CWE-707, concerning improper handling of potentially malicious input. The vulnerability also maps to ATT&CK technique T1584.004, which involves the manipulation of machine learning models through code injection or modification of computational behavior.
The operational impact of this vulnerability extends beyond simple computational inconsistencies to affect the integrity and reliability of machine learning pipelines. Systems relying on PyTorch for computer vision applications, natural language processing, or other deep learning tasks may experience unpredictable behavior when using torch.compile with FractionalMaxPool2d layers. This can result in model performance degradation, incorrect inference results, and difficulties in debugging or validating model outputs. The vulnerability particularly affects organizations using automated model compilation workflows, as the inconsistent behavior may only surface during runtime or under specific conditions, making detection and remediation challenging.
Organizations should immediately upgrade to PyTorch version 2.7.0 or later to address this vulnerability, as no effective workarounds exist for the underlying compilation inconsistency. The recommended mitigation strategy involves implementing comprehensive testing procedures that validate model outputs across different compilation scenarios and ensuring that FractionalMaxPool2d operations are either avoided in compiled code or thoroughly tested before deployment. Security teams should monitor for potential exploitation attempts that might leverage the inconsistent behavior to manipulate model outputs, while development teams should review existing codebases for usage of torch.compile with FractionalMaxPool2d to identify and remediate affected implementations. Additionally, organizations should implement runtime monitoring to detect anomalous behavior patterns that might indicate exploitation attempts targeting this vulnerability.