CVE-2026-10801 Overview
CVE-2026-10801 is a weak hash vulnerability in ModelScope ms-swift versions up to 4.2.0. The flaw resides in the Template._save_pil_image function within swift/template/base.py, part of the PIL Image Cache Key Handler component. The implementation relies on a cryptographically weak hash algorithm to generate cache keys, which can produce collisions [CWE-327]. Exploitation requires local access, valid low privileges, and high attack complexity, making practical abuse difficult. The exploit has been publicly disclosed, and the pull request to remediate the issue is pending acceptance.
Critical Impact
Local attackers with low privileges may induce hash collisions in image cache key generation, potentially leading to incorrect cache reuse or limited integrity and availability impact within ms-swift workflows.
Affected Products
- ModelScope ms-swift versions up to and including 4.2.0
- swift/template/base.py source file
- PIL Image Cache Key Handler component (Template._save_pil_image)
Discovery Timeline
- 2026-06-04 - CVE-2026-10801 published to NVD
- 2026-06-04 - Last updated in NVD database
Technical Details for CVE-2026-10801
Vulnerability Analysis
The vulnerability exists in the _save_pil_image method of the Template class in swift/template/base.py. This routine generates cache keys for Python Imaging Library (PIL) image objects using a cryptographically weak hashing algorithm. Weak hash functions exhibit a higher probability of collisions, allowing distinct image inputs to map to the same cache key. When training or inference pipelines rely on this cache, a collision can return the wrong cached representation, degrading data integrity or producing inconsistent behavior. The issue is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm).
Root Cause
The root cause is the selection of a non-collision-resistant hash function for content-addressable caching of PIL images. Cache keying schemes that ingest attacker-controllable or attacker-influenceable image data require collision-resistant primitives such as SHA-256. The use of a weak primitive in Template._save_pil_image violates this requirement.
Attack Vector
The attack vector is local. An adversary must already hold low-privileged access to the host running ms-swift and supply crafted image inputs that hash to the same cache key as a legitimate image. The vulnerability description notes high attack complexity and limited integrity and availability impact, with no confidentiality impact. Refer to the GitHub Issue Report and VulDB Vulnerability Details for additional technical context.
No verified proof-of-concept code is available. The vulnerability mechanism is described in prose because no public exploit code has been verified against this advisory.
Detection Methods for CVE-2026-10801
Indicators of Compromise
- Unexpected reuse of cached PIL image objects across distinct training or inference inputs in ms-swift pipelines.
- Anomalous file or memory artifacts produced by Template._save_pil_image where input images differ but cache keys match.
- Presence of ms-swift installations at versions 4.2.0 or earlier in machine learning hosts.
Detection Strategies
- Inventory all hosts running ms-swift and verify the installed version against the 4.2.0 ceiling.
- Audit swift/template/base.py for the unpatched _save_pil_image implementation referenced in GitHub Pull Request #9359.
- Instrument the cache layer to log hash inputs and outputs, then alert on collisions across distinct image payloads.
Monitoring Recommendations
- Monitor local user activity on ML training hosts for unexpected file submissions to ms-swift pipelines.
- Track package manifests in CI/CD and container builds to flag any pinned ms-swift version at or below 4.2.0.
- Review training job outputs for integrity anomalies that may indicate cache key collisions.
How to Mitigate CVE-2026-10801
Immediate Actions Required
- Restrict local access to systems running ms-swift to trusted operators only.
- Identify and isolate workflows that process untrusted image inputs through Template._save_pil_image.
- Track the status of the upstream fix in GitHub Pull Request #9359 and plan deployment once merged.
Patch Information
At the time of publication, the pull request to fix CVE-2026-10801 awaits acceptance in the upstream ms-swift repository. No vendor-released patched version is listed in the advisory. Operators should monitor the GitHub Issue Report and the VulDB CVE Entry for updates and apply the fix as soon as it is merged and released.
Workarounds
- Replace the weak hash invocation in _save_pil_image with a collision-resistant algorithm such as SHA-256 in a local fork until an upstream release is available.
- Disable or bypass the PIL image cache in deployments that process attacker-influenceable image data.
- Enforce least-privilege controls so that only vetted accounts can submit workloads to ms-swift.
# Configuration example: verify installed ms-swift version and pin to a patched release once available
pip show ms-swift | grep -i version
# After the upstream fix is merged and released, upgrade:
# pip install --upgrade ms-swift
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

