CVE-2026-47748: CWE-125: Out-of-bounds Read in leejet stable-diffusion.cpp
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing. The pickle .ckpt parser in src/model.cpp did not consistently check that enough input remained before reading opcode arguments or advancing the parser buffer with a crafted or truncated .ckpt file. Throughout the pickle parser, opcode handlers advanced the parser position with expressions such as buffer += N without first checking that buffer + N <= buffer_end. A truncated file could therefore cause reads past the end of the metadata buffer. LibFuzzer found crashes in under one second using malformed checkpoint inputs. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. This issue has been fixed in version master-584-0a7ae07. If developers are unable to immediately update their applications, they can work around this issue by ensuring they do not load .ckpt checkpoint files from untrusted sources. They should prefer trusted model sources and safer formats such as .safetensors where possible.
AI Analysis
Technical Summary
The stable-diffusion.cpp library, used for diffusion model inference, contains an out-of-bounds read vulnerability (CWE-125) in its PyTorch checkpoint (.ckpt) pickle opcode parser. The parser in src/model.cpp fails to verify that sufficient input remains before reading opcode arguments or advancing the buffer pointer. Specifically, opcode handlers increment the parser buffer position without confirming that the new position does not exceed the buffer end. This flaw allows a crafted or truncated .ckpt file to cause reads beyond the metadata buffer boundary, leading to crashes. The vulnerability affects all versions prior to the fix in commit master-584-0a7ae07. Exploitation requires loading a malicious .ckpt file from an untrusted source. The issue was discovered via fuzzing and no known exploits are reported in the wild.
Potential Impact
Successful exploitation results in out-of-bounds reads that can cause application crashes (denial of service). There is no indication of confidentiality or integrity impact. The vulnerability requires local or limited access to load a malicious .ckpt file, which typically involves user interaction to load untrusted model files. This limits the attack vector to scenarios where untrusted checkpoint files are processed.
Mitigation Recommendations
A fix is available in stable-diffusion.cpp at commit master-584-0a7ae07. Users and developers should update to this version to remediate the vulnerability. If immediate updating is not possible, avoid loading .ckpt checkpoint files from untrusted sources. Prefer trusted model repositories and safer checkpoint formats such as .safetensors to reduce risk.
CVE-2026-47748: CWE-125: Out-of-bounds Read in leejet stable-diffusion.cpp
Description
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing. The pickle .ckpt parser in src/model.cpp did not consistently check that enough input remained before reading opcode arguments or advancing the parser buffer with a crafted or truncated .ckpt file. Throughout the pickle parser, opcode handlers advanced the parser position with expressions such as buffer += N without first checking that buffer + N <= buffer_end. A truncated file could therefore cause reads past the end of the metadata buffer. LibFuzzer found crashes in under one second using malformed checkpoint inputs. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. This issue has been fixed in version master-584-0a7ae07. If developers are unable to immediately update their applications, they can work around this issue by ensuring they do not load .ckpt checkpoint files from untrusted sources. They should prefer trusted model sources and safer formats such as .safetensors where possible.
CVSS v3.1
Score 5.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The stable-diffusion.cpp library, used for diffusion model inference, contains an out-of-bounds read vulnerability (CWE-125) in its PyTorch checkpoint (.ckpt) pickle opcode parser. The parser in src/model.cpp fails to verify that sufficient input remains before reading opcode arguments or advancing the buffer pointer. Specifically, opcode handlers increment the parser buffer position without confirming that the new position does not exceed the buffer end. This flaw allows a crafted or truncated .ckpt file to cause reads beyond the metadata buffer boundary, leading to crashes. The vulnerability affects all versions prior to the fix in commit master-584-0a7ae07. Exploitation requires loading a malicious .ckpt file from an untrusted source. The issue was discovered via fuzzing and no known exploits are reported in the wild.
Potential Impact
Successful exploitation results in out-of-bounds reads that can cause application crashes (denial of service). There is no indication of confidentiality or integrity impact. The vulnerability requires local or limited access to load a malicious .ckpt file, which typically involves user interaction to load untrusted model files. This limits the attack vector to scenarios where untrusted checkpoint files are processed.
Mitigation Recommendations
A fix is available in stable-diffusion.cpp at commit master-584-0a7ae07. Users and developers should update to this version to remediate the vulnerability. If immediate updating is not possible, avoid loading .ckpt checkpoint files from untrusted sources. Prefer trusted model repositories and safer checkpoint formats such as .safetensors to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T22:16:39.504Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a31965e0b89be688808a34b
Added to database: 6/16/2026, 6:30:54 PM
Last enriched: 6/16/2026, 6:50:53 PM
Last updated: 6/16/2026, 9:01:02 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.