Primary

Context

PyTorch Denial-of-Service Vulnerability in the MKLDNN Max Pooling Function

Vulnerability

A denial-of-service vulnerability has been identified in PyTorch versions 2.6.0+cu124. The issue arises in the `torch.mkldnn_max_pool2d` function, where improper handling of the `stride` parameter can lead to a crash, specifically a floating-point exception. This vulnerability requires local access to exploit.

Impact

Exploitation of this vulnerability causes a crash due to a floating-point exception, disrupting the application's normal operation.

Reproduction

The vulnerability can be reproduced by running PyTorch code that creates a tensor with random values, converts it to the MKLDNN format, and then applies the `torch.mkldnn_max_pool2d` function with an invalid stride of zero. This combination triggers a floating-point exception, causing a crash.

Remediation

Users are advised to update to PyTorch version 2.7.1, where this issue has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PyTorch Denial-of-Service Vulnerability in the MKLDNN Max Pooling Function

Vulnerability

Impact

Reproduction

Remediation

Affected Products

PyTorch

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating