CVE-2026-34445
Arbitrary Attribute Overwrite in ONNX ExternalDataInfo Component
Publication date: 2026-04-01
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | onnx | to 1.21.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34445 is a critical security vulnerability in the Open Neural Network Exchange (ONNX) package affecting versions prior to 1.21.0. The issue arises because the ExternalDataInfo class uses Python's setattr() function to load metadata such as file paths and data lengths from ONNX model files without validating the keys. This lack of validation allows attackers to craft malicious ONNX models that inject arbitrary or special keys (including Python dunder attributes) into the object.
This vulnerability enables attackers to overwrite internal object properties, leading to object state corruption, type confusion, and resource exhaustion. Specifically, attackers can inject unknown or dangerous keys, set negative or extremely large values for offset and length, and cause denial of service or unauthorized file access.
The vulnerability was addressed by implementing a three-layer defense: a strict whitelist of allowed keys, parse-time validation of offset and length to ensure they are non-negative integers, and file-size boundary checks at read time to prevent out-of-bounds or excessive memory usage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly discuss the impact of CVE-2026-34445 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can impact you in several critical ways if you use vulnerable versions of ONNX to load untrusted or malicious models:
- Denial of Service (DoS): Attackers can specify extremely large values for the 'length' attribute, causing the system to attempt massive memory allocation (e.g., petabytes of RAM), leading to crashes, freezes, or server outages.
- Unauthorized Access: By setting negative offsets, attackers can trick the system into reading unauthorized parts of files, potentially exposing sensitive data.
- Object Corruption and Type Confusion: Injection of special Python dunder attributes (like '__class__') can corrupt the internal state of objects, potentially enabling further exploits or unexpected behavior.
Overall, the vulnerability can cause low confidentiality and integrity loss but has a high impact on availability, making systems unstable or unusable.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying malicious ONNX model files that contain crafted external_data entries with invalid or unexpected keys, negative or non-numeric offset/length values, or excessively large length values that could cause resource exhaustion.
Since the vulnerability is related to the ExternalDataInfo class loading metadata from ONNX model files, you can detect suspicious models by inspecting the external_data attributes for keys outside the whitelist (`location`, `offset`, `length`, `checksum`, `basepath`), or for negative or unusually large numeric values.
Suggested commands to detect potentially malicious ONNX models include:
- Use a Python script or tool to parse ONNX model files and check the external_data attributes for unknown keys or invalid values.
- Example Python snippet to list external_data keys and values in a model file:
- ```python import onnx model = onnx.load('model.onnx') for tensor in model.graph.initializer: for entry in tensor.external_data: print(f'Key: {entry.key}, Value: {entry.value}') ```
- Manually or programmatically verify that keys are only from the allowed whitelist and that offset and length values are non-negative integers and within reasonable size limits.
- Monitor logs or warnings emitted by ONNX loading code, as the patched version issues warnings when unknown keys are encountered.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the ONNX package to version 1.21.0 or later, where this vulnerability has been patched.
The patch implements a three-layer defense-in-depth approach:
- Strict whitelist enforcement of allowed keys in external_data attributes to prevent arbitrary attribute injection.
- Validation at parse time to ensure offset and length values are non-negative integers.
- File-size boundary checks at read time to prevent out-of-bounds reads and resource exhaustion.
Additional immediate steps include:
- Avoid loading ONNX models from untrusted or unauthenticated sources.
- If upgrading is not immediately possible, implement manual validation of ONNX model files to reject those with suspicious external_data entries.
- Monitor application logs for warnings related to unknown external_data keys or validation errors.