What is GHSA-7g5w-pq96-8c5w?

GHSA-7g5w-pq96-8c5w is a security advisory published by GitHub Security Advisories with High severity. flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism

Which CVE IDs does GHSA-7g5w-pq96-8c5w cover?

GHSA-7g5w-pq96-8c5w covers the following CVE IDs: CVE-2026-31253. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-7g5w-pq96-8c5w?

GHSA-7g5w-pq96-8c5w has a CVSS v3 base score of 7.3, published by GitHub Security Advisories.

Which products are affected by GHSA-7g5w-pq96-8c5w?

GHSA-7g5w-pq96-8c5w affects 1 product, including: pip/flash_attn:\u003c= 2.8.3.

GHSA-7g5w-pq96-8c5wHighCVSS 7.3

flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-31253 →

📋 Description

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

🎯 Affected products1

pip/flash_attn:<= 2.8.3

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (4)