CVE-2026-47749: CWE-787: Out-of-bounds Write in leejet stable-diffusion.cpp
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the SHORT_BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. A malicious checkpoint file could cause heap corruption through memcpy with an attacker-controlled length. This may lead to process crash and could potentially be leveraged for code execution depending on heap layout. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by not loading .ckpt checkpoint files from untrusted sources, and referring to trusted model sources and safer formats such as .safetensors where possible.
AI Analysis
Technical Summary
The vulnerability in stable-diffusion.cpp is a heap buffer overflow (CWE-787) caused by sign confusion in the SHORT_BINUNICODE opcode length field when parsing PyTorch checkpoint (.ckpt) files. This allows an attacker to craft a malicious .ckpt file that triggers a memcpy with an attacker-controlled large length, resulting in heap corruption. The flaw affects all versions prior to master-584-0a7ae07. Exploitation requires loading a malicious .ckpt file from an untrusted source. The vulnerability can cause application crashes and may enable code execution depending on heap layout. The issue has been resolved in version master-584-0a7ae07.
Potential Impact
Successful exploitation can cause heap corruption leading to application crashes and potentially arbitrary code execution depending on the heap layout. The vulnerability impacts confidentiality, integrity, and availability (all rated high in CVSS). The attack vector requires local or limited access (AV:L) with user interaction (UI:R) to load a malicious .ckpt file. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in stable-diffusion.cpp version master-584-0a7ae07. Users and developers should update to this version to remediate the vulnerability. If immediate updating is not feasible, avoid loading .ckpt checkpoint files from untrusted sources. Prefer trusted model sources and safer checkpoint formats such as .safetensors to mitigate risk.
CVE-2026-47749: CWE-787: Out-of-bounds Write in leejet stable-diffusion.cpp
Description
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the SHORT_BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. A malicious checkpoint file could cause heap corruption through memcpy with an attacker-controlled length. This may lead to process crash and could potentially be leveraged for code execution depending on heap layout. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by not loading .ckpt checkpoint files from untrusted sources, and referring to trusted model sources and safer formats such as .safetensors where possible.
CVSS v3.1
Score 7.8high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in stable-diffusion.cpp is a heap buffer overflow (CWE-787) caused by sign confusion in the SHORT_BINUNICODE opcode length field when parsing PyTorch checkpoint (.ckpt) files. This allows an attacker to craft a malicious .ckpt file that triggers a memcpy with an attacker-controlled large length, resulting in heap corruption. The flaw affects all versions prior to master-584-0a7ae07. Exploitation requires loading a malicious .ckpt file from an untrusted source. The vulnerability can cause application crashes and may enable code execution depending on heap layout. The issue has been resolved in version master-584-0a7ae07.
Potential Impact
Successful exploitation can cause heap corruption leading to application crashes and potentially arbitrary code execution depending on the heap layout. The vulnerability impacts confidentiality, integrity, and availability (all rated high in CVSS). The attack vector requires local or limited access (AV:L) with user interaction (UI:R) to load a malicious .ckpt file. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in stable-diffusion.cpp version master-584-0a7ae07. Users and developers should update to this version to remediate the vulnerability. If immediate updating is not feasible, avoid loading .ckpt checkpoint files from untrusted sources. Prefer trusted model sources and safer checkpoint formats such as .safetensors to mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T22:16:39.504Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a31965e0b89be688808a34f
Added to database: 6/16/2026, 6:30:54 PM
Last enriched: 6/16/2026, 6:50:47 PM
Last updated: 6/16/2026, 11:27:44 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.