CVE-2026-31222 — Unsafe torch.load in Snorkel Trainer.load

MITRE service request: 1987825

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim’s system when the file is loaded via the vulnerable method.

Summary

Snorkel’s Trainer.load(trainer_path=..., model=None) path deserializes user-supplied checkpoints with unsafe torch.load, enabling pickle-based RCE when victims open hostile trainer bundles.

Affected product and versions

• Product: snorkel-team/snorkel.
• Affected range (coordination record): through v0.10.0 (commit 617c92400c50e95ce41fcee84309a86f76cf525c).

Technical details

• Sink: Trainer.load → torch.load without weights_only=True.
• Attacker model: Distribute malicious .pt / .ckpt trainer artifacts via tutorials or datasets.
• Victim action: Invoke Trainer.load pointing at attacker path.
• Result: Arbitrary code execution in notebook or batch job context.

Risk

High for researchers loading third-party Snorkel models.

Remediation / workaround

• Patch/upgrade when available; wrap loads with integrity checks.
• Use isolated VMs for unknown checkpoints (TBD vendor guidance).