CVE-2026-31239
CriticalSummary
The mamba language model framework up to version 2.2.6 is vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the weights_only=True parameter, allowing the deserialization of arbitrary Python objects.
Risk Assessment
An attacker can publish a malicious model repository on HuggingFace Hub, allowing arbitrary code execution on the victim's system in the context of the mamba process. This poses a significant security risk to systems using this framework.
Recommendation
It is recommended to update the mamba framework to the latest version that addresses this vulnerability and to enable the weights_only=True parameter when loading models. Additionally, avoid loading models from unknown or unverified sources.
Original NVD description (English source)
The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by publishing a malicious model repository on HuggingFace Hub. When a victim loads a model from this repository, arbitrary code is executed on the victim's system in the context of the mamba process.

