Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-57516

HIGH NVD
CVSS Score 8.8
Severity HIGH
Published Jul 01, 2026
Vendor unknown

Description

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.

References