CVE-2025-3730: 
CBL Mariner vulnerability analysis and mitigation

A vulnerability was discovered in PyTorch 2.6.0, specifically affecting the function torch.nn.functional.ctcloss in the file aten/src/ATen/native/LossCTC.cpp. The vulnerability was disclosed on April 16, 2025, and was assigned identifier CVE-2025-3730. The issue occurs when calling ctcloss with empty tensors on CUDA devices, leading to a floating point exception and subsequent denial of service (GitHub Issue, NVD).

The vulnerability manifests when the ctc_loss function is called with empty tensors on CUDA devices, resulting in a floating point exception and program crash. This behavior differs from CPU execution, where proper error handling occurs. The issue has been assigned a CVSS v3.1 base score of 3.3 (LOW) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, indicating local access is required for exploitation (VulDB).

The vulnerability leads to a denial of service condition when exploited, affecting the availability of systems using PyTorch 2.6.0 with CUDA devices. The impact is limited to local systems and does not affect confidentiality or integrity of the system (VulDB).

A patch has been developed and merged to address this vulnerability. The fix involves adding proper input validation to check for empty tensors before processing. The patch is identified by commit hash 46fc5d8e360127361211cb237d5f9eef0223e567 (GitHub PR, Patch).