CVE-2026-34445
Received Received - Intake
Arbitrary Attribute Overwrite in ONNX ExternalDataInfo Component

Publication date: 2026-04-01

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34445
EUVD
EUVD-2026-17985
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation onnx to 1.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34445 is a critical security vulnerability in the Open Neural Network Exchange (ONNX) package affecting versions prior to 1.21.0. The issue arises because the ExternalDataInfo class uses Python's setattr() function to load metadata such as file paths and data lengths from ONNX model files without validating the keys. This lack of validation allows attackers to craft malicious ONNX models that inject arbitrary or special keys (including Python dunder attributes) into the object.

This vulnerability enables attackers to overwrite internal object properties, leading to object state corruption, type confusion, and resource exhaustion. Specifically, attackers can inject unknown or dangerous keys, set negative or extremely large values for offset and length, and cause denial of service or unauthorized file access.

The vulnerability was addressed by implementing a three-layer defense: a strict whitelist of allowed keys, parse-time validation of offset and length to ensure they are non-negative integers, and file-size boundary checks at read time to prevent out-of-bounds or excessive memory usage.

Compliance Impact

The provided information does not explicitly discuss the impact of CVE-2026-34445 on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you in several critical ways if you use vulnerable versions of ONNX to load untrusted or malicious models:

  • Denial of Service (DoS): Attackers can specify extremely large values for the 'length' attribute, causing the system to attempt massive memory allocation (e.g., petabytes of RAM), leading to crashes, freezes, or server outages.
  • Unauthorized Access: By setting negative offsets, attackers can trick the system into reading unauthorized parts of files, potentially exposing sensitive data.
  • Object Corruption and Type Confusion: Injection of special Python dunder attributes (like '__class__') can corrupt the internal state of objects, potentially enabling further exploits or unexpected behavior.

Overall, the vulnerability can cause low confidentiality and integrity loss but has a high impact on availability, making systems unstable or unusable.

Detection Guidance

Detection of this vulnerability involves identifying malicious ONNX model files that contain crafted external_data entries with invalid or unexpected keys, negative or non-numeric offset/length values, or excessively large length values that could cause resource exhaustion.

Since the vulnerability is related to the ExternalDataInfo class loading metadata from ONNX model files, you can detect suspicious models by inspecting the external_data attributes for keys outside the whitelist (`location`, `offset`, `length`, `checksum`, `basepath`), or for negative or unusually large numeric values.

Suggested commands to detect potentially malicious ONNX models include:

  • Use a Python script or tool to parse ONNX model files and check the external_data attributes for unknown keys or invalid values.
  • Example Python snippet to list external_data keys and values in a model file:
  • ```python import onnx model = onnx.load('model.onnx') for tensor in model.graph.initializer: for entry in tensor.external_data: print(f'Key: {entry.key}, Value: {entry.value}') ```
  • Manually or programmatically verify that keys are only from the allowed whitelist and that offset and length values are non-negative integers and within reasonable size limits.
  • Monitor logs or warnings emitted by ONNX loading code, as the patched version issues warnings when unknown keys are encountered.
Mitigation Strategies

The primary mitigation step is to upgrade the ONNX package to version 1.21.0 or later, where this vulnerability has been patched.

The patch implements a three-layer defense-in-depth approach:

  • Strict whitelist enforcement of allowed keys in external_data attributes to prevent arbitrary attribute injection.
  • Validation at parse time to ensure offset and length values are non-negative integers.
  • File-size boundary checks at read time to prevent out-of-bounds reads and resource exhaustion.

Additional immediate steps include:

  • Avoid loading ONNX models from untrusted or unauthenticated sources.
  • If upgrading is not immediately possible, implement manual validation of ONNX model files to reject those with suspicious external_data entries.
  • Monitor application logs for warnings related to unknown external_data keys or validation errors.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34445. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart