CVE-2026-31224 — Unsafe torch.load in Snorkel MultitaskClassifier.load

MITRE service request: 1987825

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim’s system when the file is loaded via the vulnerable method.

Summary

MultitaskClassifier.load(model_path=...) deserializes arbitrary .pt weights with full pickle semantics. Malicious model files lead to RCE on load—parallel issue to CVE-2026-31222 but on the multitask classifier code path.

Affected product and versions

• Product: snorkel-team/snorkel.
• Affected range (coordination record): through v0.10.0 (commit 617c92400c50e95ce41fcee84309a86f76cf525c).

Technical details

• Sink: torch.load without weights_only=True.
• Attack: Supply path to hostile checkpoint in multitask workflows.
• Impact: RCE under user running classifier load.

Risk

High for shared multitask modeling pipelines.

Remediation / workaround

• Validate checkpoints; prefer hardened torch APIs.
• Vendor patch TBD.

CVE Program next steps