CVE-2025-54952: 
Python vulnerability analysis and mitigation

An integer overflow vulnerability has been identified in ExecuTorch (CVE-2025-54952) affecting versions prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b. The vulnerability exists in the loading of ExecuTorch models, where insufficient validation of memory allocation calculations can lead to smaller-than-expected memory regions being allocated. This vulnerability was disclosed on August 7, 2025, and received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

The vulnerability is classified as CWE-680 (Integer Overflow to Buffer Overflow). The issue occurs during memory allocation when loading ExecuTorch models, where the product of size and sizeof(T) can result in an integer overflow. This overflow leads to incorrect memory allocation sizes, potentially causing buffer overflows or other memory corruption issues. The vulnerability received a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

The vulnerability can result in code execution or other undesirable effects due to the improper memory allocation. When exploited, an attacker could potentially execute arbitrary code, leading to complete system compromise. The critical CVSS score of 9.8 indicates severe potential impacts across all security properties - confidentiality, integrity, and availability (NVD).

The vulnerability has been patched in commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b. The fix implements proper overflow checking using c10::mul_overflows to validate memory allocation calculations before performing the allocation. Users should update to a version containing this commit to protect against this vulnerability (GitHub Commit).