CVE-2025-46152 in PyTorchinfo

Summary

by MITRE • 09/25/2025

In PyTorch before 2.7.0, bitwise_right_shift produces incorrect output for certain out-of-bounds values of the "other" argument.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 09/30/2025

The vulnerability identified as CVE-2025-46152 affects PyTorch versions prior to 2.7.0 and specifically targets the bitwise_right_shift operation within the framework. This issue manifests when the "other" argument contains out-of-bounds values, leading to incorrect computational results that can compromise the integrity of machine learning workflows relying on bitwise operations. The flaw resides in the implementation of the right shift operator for tensor operations, where the framework fails to properly validate input parameters before executing the shift operation. This represents a significant concern for developers and organizations using PyTorch for deep learning applications where bitwise operations may be employed in various computational contexts including but not limited to neural network optimizations, data preprocessing, and custom algorithm implementations.

The technical root cause of this vulnerability stems from inadequate bounds checking within the bitwise_right_shift function implementation. When an out-of-bounds value is provided for the shift amount parameter, the system does not properly handle the edge case, resulting in undefined behavior and incorrect output generation. This flaw falls under the category of improper input validation as classified by CWE-20, which specifically addresses weaknesses in input validation that can lead to unexpected program behavior. The vulnerability demonstrates characteristics consistent with CWE-129, which deals with insufficient checking of the length, size, or range of input data, and CWE-191, which addresses integer underflow and overflow conditions that can occur when handling shift operations with invalid parameters.

The operational impact of CVE-2025-46152 extends beyond simple computational errors to potentially affect the reliability and correctness of machine learning models. In production environments where PyTorch is used for critical applications, incorrect bitwise operations could lead to data corruption, model misclassification, or unexpected behavior in algorithms that depend on precise bit manipulation. This vulnerability is particularly concerning for security-sensitive applications where bitwise operations might be used in cryptographic implementations or security-related preprocessing steps. The flaw could be exploited by attackers who intentionally provide malformed input to cause unexpected behavior in PyTorch-based systems, potentially leading to denial of service conditions or data integrity issues that might go unnoticed until significant damage has occurred.

Organizations utilizing PyTorch should prioritize upgrading to version 2.7.0 or later to remediate this vulnerability. The mitigation strategy should include comprehensive testing of all PyTorch-based applications to identify any code paths that utilize bitwise_right_shift operations with potentially unvalidated input parameters. Security teams should implement monitoring procedures to detect anomalous behavior in systems processing data through bitwise operations, particularly when dealing with user-supplied or external data sources. Additionally, developers should consider implementing defensive programming practices including input validation checks and error handling mechanisms around bitwise operations to provide additional layers of protection. From an ATT&CK framework perspective, this vulnerability could be leveraged as part of a broader attack chain under techniques such as T1059.001 for command and scripting interpreter usage, and T1566 for social engineering, particularly in scenarios where attackers might attempt to exploit the incorrect behavior to manipulate data processing workflows. The vulnerability also aligns with T1499.004 for unauthorized data modification, as incorrect bitwise operations could lead to data corruption that affects downstream processing and decision-making systems.

Responsible

MITRE

Reservation

04/22/2025

Disclosure

09/25/2025

Moderation

accepted

CPE

ready

EPSS

0.00423

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!