Vulnerabilities ›

CVE-2026-31222

High

CWE-502 — Weakness Type

                    Published: May 12, 2026                      ·  Modified: May 19, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

🤖 AI Executive Summary

CVE-2026-31222 is an insecure deserialization vulnerability in Snorkel library versions up to 0.10.0 affecting the Trainer.load() method, which fails to restrict pickle deserialization and allows arbitrary code execution. Attackers can exploit this by providing malicious model checkpoint files that execute arbitrary Python code when loaded.

📄 Description (Arabic)

تحتوي مكتبة Snorkel على ثغرة عدم تسلسل غير آمن في دالة Trainer.load() التي تسمح بتنفيذ كود Python تعسفي عند تحميل ملفات نقاط تفتيش النموذج المصابة. يمكن للمهاجمين الاستفادة من هذه الثغرة بتوفير ملفات نموذج مصنوعة بشكل خبيث تحتوي على حمولات ضارة.

🤖 ملخص تنفيذي (AI)

Snorkel library versions through 0.10.0 contain an insecure deserialization flaw in Trainer.load() that permits arbitrary code execution through crafted model files. This vulnerability stems from unsafe use of torch.load() without the weights_only=True security parameter.

🤖 AI Intelligence Analysis Analyzed: May 15, 2026 19:35

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking energy healthcare telecom

🎯 MITRE ATT&CK Techniques

T1204.002 T1566.002 T1203 T1059.006

⚖️ Saudi Risk Score (AI)

9.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade Snorkel library to version 0.10.1 or later immediately. Implement strict file validation and sandboxing for model checkpoint loading. Enable torch.load() with weights_only=True parameter. Restrict model file sources to trusted repositories only. Monitor and audit all model loading operations in production environments.

🔧 خطوات المعالجة (العربية)

قم بترقية مكتبة Snorkel إلى الإصدار 0.10.1 أو أحدث فوراً. طبق التحقق الصارم من الملفات والعزل الآمن عند تحميل نقاط تفتيش النموذج. فعّل torch.load() مع معامل weights_only=True. قيّد مصادر ملفات النموذج للمستودعات الموثوقة فقط. راقب وتدقق جميع عمليات تحميل النموذج في بيئات الإنتاج.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1 5.2

🔵 SAMA CSF

CC-6.1 CC-7.2

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5

🔗 References & Sources 2

🔗

https://github.com/snorkel-team/snorkel

cve@mitre.org

Product

🔗

https://www.notion.so/CVE-2026-31222-35d1e139318881db8398e0732af8df6d

cve@mitre.org

Third Party Advisory

📦 Affected Products / CPE 1 entries

snorkel:snorkel

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-502

EPSS0.28%

Exploit No

Patch ✗ No

Published 2026-05-12

Source Feed nvd

🇸🇦 Saudi Risk Score

9.0

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-502

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-31222

Introduce Yourself

Sign In Required