CVE-2025-46153: 
Homebrew vulnerability analysis and mitigation

CVE-2025-46153 affects PyTorch versions before 2.7.0, specifically involving the bernoulli_p decompose function in decompositions.py. The vulnerability was discovered and disclosed in September 2025, impacting the PyTorch machine learning framework's dropout layer implementations (nn.Dropout1d, nn.Dropout2d, and nn.Dropout3d) (NVD, GitHub Issue).

The vulnerability stems from the bernoulli_p decompose function lacking full consistency with the eager CPU implementation, specifically affecting nn.Dropout1d, nn.Dropout2d, and nn.Dropout3d when fallback_random=True is set. The issue has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-1176 (Inefficient CPU Computation) (NVD).

The vulnerability causes incorrect calculation results when using the affected dropout layers with torch.compile() on CPU, even when fallback_random=True is set. This inconsistency between compiled and eager execution modes could lead to unexpected behavior in machine learning models, potentially affecting model training and inference results (GitHub Issue).

The vulnerability has been fixed in PyTorch version 2.7.0 by disabling the bernoulli_p decomposition functionality. Users are recommended to upgrade to PyTorch version 2.7.0 or later to address this issue (GitHub PR).