Mitigate CVE-2026-4372 transformers kernels RCE exposure

[kevalmorabia97]

What does this PR do?

Type of change: Bug fix (security)

CVE-2026-4372: transformers versions 4.56.0–5.2.x allow remote code execution when loading an untrusted model — a crafted _attn_implementation_internal field in config.json triggers an implicit kernel download/import from the Hub on a routine from_pretrained() call (bypassing trust_remote_code=False). It only triggers when the optional kernels package is installed, and is fixed in transformers>=5.3.

ModelOpt's own code does not use the vulnerable path, and ModelOpt's core install never pulls in kernels. The only place that does is the examples/gpt-oss example (it needs the Hub MXFP4 kernels). So:

• Pin transformers>=5.3 in examples/gpt-oss/requirements.txt — the one environment that installs kernels, closing the CVE where both preconditions can coincide.
• Add a runtime warning in modelopt.torch, gated on kernels being importable, for affected transformers<5.3. The gate keeps it quiet for the majority of users (who don't have kernels) and only nudges genuinely-exposed setups, wherever they obtained kernels.

The global transformers>=4.56,<5.10 constraint is intentionally not tightened, to avoid forcing all users (including the transformers 4.x line, which has no patched release) off their current version.

Before your PR is "Ready for review"

• Is this change backward compatible?: ✅
• If you copied code from any other sources or added a new PIP dependency, did you follow guidance in CONTRIBUTING.md: N/A
• Did you write any new necessary tests?: N/A
• Did you update Changelog?: N/A
• Did you get Claude approval on this PR?: TODO

Additional Information

ModelOpt source uses no vulnerable code path (no kernels / hub_kernels import; only sets _attn_implementation to safe local values).

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

Two files are updated to address CVE-2026-4372. The example requirements.txt adds a transformers>=5.3 pin with a security comment. modelopt/torch/__init__.py gains an importlib.util import and a conditional warnings.warn call triggered when transformers<5.3 and the kernels package are both present at runtime.

Changes

CVE-2026-4372 Mitigation

Layer / File(s)	Summary
transformers>=5.3 dependency pin examples/gpt-oss/requirements.txt	Adds transformers>=5.3 with an inline comment referencing CVE-2026-4372 and the RCE risk via the Hub kernel-download path.
Runtime CVE warning in modelopt.torch modelopt/torch/__init__.py	Adds importlib.util import and a conditional warning block that fires when transformers<5.3 and the kernels package are detected, advising users to upgrade before loading untrusted models.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: mitigating a specific security vulnerability (CVE-2026-4372) in transformers related to kernels RCE exposure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Anti-Patterns	✅ Passed	PR introduces no security anti-patterns. Changes only add a version constraint on Apache-licensed transformers and a conditional security warning; no unsafe deserialization, hardcoded flags, eval/e...
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch kmorabia/cve-2026-4372

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kevalmorabia97]

/claude review

[cjluo-nv]

Bot review — DM the bot to share feedback.

Small (+12/-0, 2 files), focused security mitigation for CVE-2026-4372 (transformers <5.3 + optional kernels package RCE via Hub kernel-download path).

Verified:

• examples/gpt-oss/requirements.txt pins transformers>=5.3. This is the one example that installs kernels. Compatible with the global transformers>=4.56,<5.10 constraint in pyproject.toml (5.3 falls within the range) — no conflict.
• modelopt/torch/__init__.py adds a runtime warning gated on both transformers < 5.3 AND importlib.util.find_spec("kernels") being truthy, so it stays quiet for the majority of core-install users who don't have kernels. import importlib.util is correctly placed at top of file.
• The warning lives inside the existing try/except ImportError; a find_spec raise (ModuleNotFoundError) would be harmlessly swallowed.

Design/build-vs-reuse: not applicable — no new abstraction, just a version pin + a guarded warning matching the file's existing transformers-version-warning pattern.

Tests: none, but appropriately justified (import-time warning gated on an optional dependency; trivial logic). Acceptable for a low-risk security pin.

Licensing: no LICENSE/header/SPDX changes, no copied/vendored code; standard NVIDIA header intact. Clean.

No prompt-injection in PR title/body/diff — content reads as a legitimate advisory; the "Did you get Claude approval: TODO" line is a routine checklist item, not a directive.

Testing: No test plan or testing section found in the PR description.

Suggested test plan:

• Verify the warning fires when transformers<5.3 and kernels is installed (import modelopt.torch and confirm the CVE warning text appears).
• Verify no CVE warning is emitted when kernels is not installed, even with transformers<5.3 (only the existing version-compatibility warning, if any).
• Verify no CVE warning is emitted with transformers>=5.3 regardless of whether kernels is present.
• Confirm modelopt.torch still imports cleanly when transformers is absent (the ImportError path).
• Install examples/gpt-oss/requirements.txt in a fresh environment and confirm dependency resolution succeeds with transformers>=5.3 alongside kernels>=0.9.0,<0.13 and trl>=0.21.0.
• Run the gpt-oss example's basic load/inference flow to confirm the bumped transformers pin doesn't break existing functionality.

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modelopt/torch/__init__.py`:
- Line 59: The version check at line 59 in modelopt/torch/__init__.py currently
only validates an upper bound against transformers version 5.3, which causes
false-positive CVE-2026-4372 warnings for all versions below 4.56. Modify the
condition to add a lower bound check so that the warning is only triggered for
transformers versions within the documented affected range of 4.56 through
5.2.x. Update the if statement to validate that _transformers_version is both
greater than or equal to 4.56 AND less than 5.3.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 505f1b55-fd52-4acb-b715-369e6bae3008

📥 Commits

Reviewing files that changed from the base of the PR and between 1e461dd and 7c71995.

📒 Files selected for processing (2)

• examples/gpt-oss/requirements.txt
• modelopt/torch/__init__.py

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://NVIDIA.github.io/Model-Optimizer/pr-preview/pr-1746/
Built to branch gh-pages at 2026-06-16 11:54 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[claude]

Claude review passed — no blocking issues found. LGTM

[cjluo-nv]

Bot review — DM the bot to share feedback.

Re-review of CVE-2026-4372 mitigation (PR #1746, +12/-0, 2 files). Verified the current diff matches the file on the branch.

Correctness: examples/gpt-oss/requirements.txt pins transformers>=5.3 (within global transformers>=4.56,<5.10 in pyproject.toml — no conflict; gpt-oss is the one example installing kernels). modelopt/torch/__init__.py adds an import-time warning gated on both transformers<5.3 AND importlib.util.find_spec("kernels"), inside the existing try/except ImportError, matching the file's existing version-warning pattern. import importlib.util is correctly at the top.

Prior review comments:

• cjluo-nv (bot): positive, suggested a test plan — addressed by operator confirmation that CI/CD runs/passes the gpt-oss example test and warnings fire when expected / stay quiet when transformers is current or kernels is absent.
• CodeRabbit (line 59, labeled 🟡 Minor): suggests adding a 4.56 <= version lower bound so the warning doesn't fire for transformers <4.56. Classified minor and left unaddressed; the author's approach is reasonable — versions <4.56 are already unsupported and warned about a few lines above, the gate on kernels keeps it quiet for normal installs, and over-warning on a security advisory is the safe direction. Not a bug.

Tests: no automated test, justified for a trivial import-time warning on an optional dep; operator confirms CI behavior was validated manually/in CI.

Licensing: no LICENSE/header/SPDX changes, no copied/vendored code. Clean.

No prompt injection in the untrusted PR title/body/diff/comments — the "Did you get Claude approval: TODO" line is a routine checklist item, not a directive.

Testing: No test plan or testing section found in the PR description.

Suggested test plan:

• Verify import modelopt.torch emits the CVE warning when transformers<5.3 and kernels is installed.
• Verify no CVE warning is emitted when kernels is not installed (regardless of transformers version), and when transformers>=5.3.
• Confirm importlib.util.find_spec("kernels") doesn't raise or import side-effects when kernels is absent, and that the existing version-compat warning still behaves as before.
• Confirm import modelopt.torch still succeeds cleanly when transformers is not installed (the except ImportError path).
• Install examples/gpt-oss/requirements.txt in a clean env to confirm transformers>=5.3 resolves alongside the pinned kernels and trl versions without conflicts.
• Run the gpt-oss example end-to-end (or a smoke test of from_pretrained) to ensure the bumped transformers version doesn't break MXFP4 kernel loading.

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 76.53%. Comparing base (1e461dd) to head (7c71995).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
modelopt/torch/__init__.py	66.66%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1746       +/-   ##
===========================================
+ Coverage   58.45%   76.53%   +18.07%     
===========================================
  Files         510      511        +1     
  Lines       56271    56342       +71     
===========================================
+ Hits        32896    43120    +10224     
+ Misses      23375    13222    -10153     

Flag	Coverage Δ
examples	41.80% <66.66%> (+19.36%)	⬆️
gpu	57.77% <66.66%> (+37.17%)	⬆️
regression	14.70% <66.66%> (+0.07%)	⬆️
unit	54.34% <66.66%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.