Title
Abstract
This talk examines security risks in core AI infrastructure. As competitions such as Pwn2Own Berlin and ZeroDay.Cloud began targeting AI products including Ollama, NVIDIA Triton, and vLLM, the researchers focused on the attack surfaces of inference frameworks. Starting from vLLM’s completions endpoint support for prompt_embeds, which is eventually loaded through torch.load with weights_only, they investigated whether a previous bypass technique related to CVE-2025-32434 could be extended. After further research, they discovered CVE-2026-24747, a heap overflow vulnerability that bypasses PyTorch’s weights_only protection and enables compromise of vLLM.
The talk also shows that PyTorch-related vulnerabilities are not limited to model poisoning: many AI applications expose APIs that may trigger torch.load during model loading, LoRA fine-tuning, or other common workflows. Using this attack surface, the researchers compromised Elasticsearch, vLLM, OpenLLM, ComfyUI and NVIDIA Dynamo under default configurations.