The Open Source Technology Improvement Fund is proud to share the results of our security audit of PyTorch ExecuTorch. PyTorch is a popular open source deep learning library, with multiple subprojects including ExecuTorch. ExecuTorch enables PyTorch on-device inference capabilities across mobile and edge devices. Thanks to Trail of Bits and Alpha-Omega, this project underwent a custom engagement of security review and testing.
Audit Process:
In January and February 2026, Trail of Bits engineers executed a whitebox code audit with static and dynamic testing through automated and manual processes. This engagement focused on the security of PTE file parsing and model loading, memory safety of the C++ runtime and kernel implementations, and input validation of data deserialized from model files. Auditors additionally fuzz tested PTE (Portable Tensor Executable) file parsing and execution paths.
Audit Results:
- 42 Findings with Security Impact
- 8 High
- 14 Medium
- 19 Low
- 1 Undetermined
- Future Security Development Recommendations
- Verified Fix Review
- Fuzz Testing Review and Development Results
Auditors note in the summary that this work was scoped in size and focus. In particular, the project would benefit from a complete component review, since this audit resulted in mainly data validation findings. PyTorch maintainers worked with the audit team to resolve the findings of this report and the audit report contains fix review results of this work. Update to the most recent release of PyTorch Executorch to take advantage of the hard work done by the individuals involved. Learn more about how you can contribute to PyTorch ExecuTorch on their webpage.
Thank you to the individuals and groups that made this engagement possible:
- PyTorch ExecuTorch maintainers and community, especially: Lucy Qiu, Mergen Nachin, Bilgin Cagatay, and Jacob Szwejbka
- Trail of Bits, especially: Artur Cygan, Will Vandevanter, Fredrik Dahlgren and Emily Doucette
- Alpha-Omega
You can read the Audit Report HERE
Everyone around the world depends on open source software. If you’re interested in supporting this critical work, reach out to us!