PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-38950 ESA CVE debrief

An unsafe deserialization vulnerability in ESA AnomalyMatch before version 1.3.1 allows local attackers to execute arbitrary code by supplying crafted PyTorch model checkpoint files. The affected software loads model files from session directories using torch.load() without restricting deserialization, enabling malicious object execution during model loading. The vulnerability requires local access and low privileges but can result in complete confidentiality, integrity, and availability compromise on the affected system. A fix has been proposed via pull request to the ESA AnomalyMatch repository.

Vendor
ESA
Product
AnomalyMatch
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running ESA AnomalyMatch for anomaly detection in satellite or space operations data; machine learning engineering teams using PyTorch model loading in production environments; security teams responsible for AI/ML supply chain and model artifact integrity; system administrators managing multi-user environments where untrusted users may provide model inputs.

Technical summary

ESA AnomalyMatch versions prior to 1.3.1 use torch.load() without deserialization restrictions when loading model checkpoint files from session directories. This enables attackers with local access and low privileges to craft malicious PyTorch pickle-based checkpoint files that execute arbitrary code during model loading. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS 3.1 score of 7.8 (HIGH). The attack requires no user interaction and can result in complete system compromise. Remediation involves updating to version 1.3.1 or applying the proposed patch that restricts deserialization behavior.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade ESA AnomalyMatch to version 1.3.1 or later when available
  • Apply the remediation from the referenced pull request if upgrading is not immediately possible
  • Restrict write access to session directories and model checkpoint paths to trusted users only
  • Validate and sanitize all model checkpoint files before loading, using torch.load() with weights_only=True where PyTorch version supports it
  • Implement application sandboxing or containerization to limit impact of potential deserialization attacks
  • Monitor for anomalous process execution following model loading operations
  • Review and audit all custom PyTorch model loading code for similar unsafe deserialization patterns

Evidence notes

The CVE description and NVD metadata confirm the vulnerability involves torch.load() with unrestricted deserialization in ESA AnomalyMatch versions prior to 1.3.1. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates local attack vector with low attack complexity and low privileges required. CWE-502 (Deserialization of Untrusted Data) is identified as the weakness. A pull request (ref-5) is referenced as remediation activity. A security advisory from imlabs.info (ref-6) provides additional technical context. The vendor identification remains under review with low confidence based on reference domain candidate evidence pointing to Imlabs.

Official resources

2026-06-01T17:16:59.257Z