CVE-2026-34445

EPSS 0.29%
Veröffentlicht 01.04.2026 17:30:19
Zuletzt bearbeitet 15.04.2026 15:08:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings.

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Onnx Version < 1.21.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.202

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.6	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

https://github.com/onnx/onnx/security/advisories/GHSA-538c-55jv-c5g9

Patch

Vendor Advisory

https://github.com/onnx/onnx/pull/7751

Patch

Issue Tracking

https://github.com/onnx/onnx/commit/e30c6935d67cc3eca2fa284e37248e7c0036c46b

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-34445

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34445

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34445

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34445