CVE-2026-38950 Overview
CVE-2026-38950 is an unsafe deserialization vulnerability in the European Space Agency (ESA) AnomalyMatch project before version 1.3.1. The application loads machine learning model checkpoint files from session directories using PyTorch's torch.load() function without restricting deserialization. Attackers who can place a crafted checkpoint file in a session directory can execute arbitrary code in the context of the AnomalyMatch process. The flaw is classified under CWE-502: Deserialization of Untrusted Data.
Critical Impact
A local attacker with low privileges can achieve arbitrary code execution by supplying a malicious model checkpoint that AnomalyMatch deserializes through torch.load().
Affected Products
- ESA AnomalyMatch versions before 1.3.1
- Components that load model files from session directories
- Python environments using torch.load() with unrestricted deserialization
Discovery Timeline
- 2026-06-01 - CVE CVE-2026-38950 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-38950
Vulnerability Analysis
AnomalyMatch is a semi-supervised anomaly detection tool used for identifying rare patterns in astronomical datasets. The application persists trained model state to checkpoint files and reloads them across sessions. The vulnerable code path uses PyTorch's torch.load() to restore these checkpoints without specifying weights_only=True or another safe deserialization mode. Because torch.load() relies on Python's pickle module by default, deserialization can invoke arbitrary callables embedded in the checkpoint, including __reduce__ methods that execute attacker-controlled code.
Root Cause
The root cause is unrestricted deserialization of untrusted input. PyTorch checkpoint files are pickle streams, and pickle.load() will instantiate any class and execute any callable referenced in the stream. AnomalyMatch reads checkpoints from session directories that an attacker with local access can write to, allowing them to replace legitimate model files with malicious payloads.
Attack Vector
An attacker with local file system access to a session directory drops a crafted .pt or .pth checkpoint file. When AnomalyMatch loads the file through torch.load(), the embedded __reduce__ payload executes arbitrary commands under the application's user context. Exploitation requires low privileges and no user interaction. The malicious payload typically uses Python primitives such as os.system or subprocess.Popen invoked through pickle reduction protocols.
No verified proof-of-concept code is published. See the IMLabs Security Advisory CVE-2026-38950 and the GitHub Pull Request Update for technical details.
Detection Methods for CVE-2026-38950
Indicators of Compromise
- Unexpected .pt, .pth, or .ckpt files appearing in AnomalyMatch session directories from non-administrative users
- Child processes spawned by the Python interpreter running AnomalyMatch that invoke shells, curl, wget, or network listeners
- Outbound network connections from the AnomalyMatch process to unknown hosts immediately after model load operations
Detection Strategies
- Monitor file integrity on session and checkpoint directories used by AnomalyMatch and alert on writes from unauthorized accounts
- Inspect Python audit hook logs for calls to pickle.Unpickler.find_class resolving to suspicious modules such as os, subprocess, or builtins.exec
- Correlate torch.load() invocations with subsequent process creation events to surface deserialization-driven code execution
Monitoring Recommendations
- Enable Python's sys.addaudithook to record deserialization events in production AnomalyMatch deployments
- Forward process, file, and network telemetry from hosts running AnomalyMatch to a centralized analytics platform for behavioral correlation
- Baseline normal child process behavior of the AnomalyMatch Python interpreter and alert on deviations
How to Mitigate CVE-2026-38950
Immediate Actions Required
- Upgrade ESA AnomalyMatch to version 1.3.1 or later, which addresses the unrestricted deserialization issue per the upstream pull request
- Restrict write permissions on session and checkpoint directories to trusted users only
- Audit existing checkpoint files for tampering and replace any of unknown provenance with known-good copies
Patch Information
The maintainers fixed the issue in AnomalyMatch 1.3.1. Review the GitHub Pull Request Update and the IMLabs Security Advisory for the full remediation. Operators should pin dependencies to the patched release and rebuild any container images that bundle the vulnerable version.
Workarounds
- If immediate upgrade is not possible, run AnomalyMatch under a dedicated low-privilege service account with no shell access
- Mount session directories as read-only for the application user where the workflow permits, and stage new checkpoints through a controlled pipeline
- Wrap torch.load() calls with weights_only=True in local forks to disable arbitrary object reconstruction
# Configuration example: enforce safe checkpoint loading and restrict directory permissions
pip install --upgrade "anomalymatch>=1.3.1"
chown -R anomalymatch:anomalymatch /var/lib/anomalymatch/sessions
chmod 700 /var/lib/anomalymatch/sessions
# When patching forks, prefer: torch.load(path, weights_only=True)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
