CVE-2026-14647
Received Received - Intake

Out-of-Bounds Read in ONNX Runtime

Vulnerability report for CVE-2026-14647, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A weakness has been identified in onnx up to 1.21.x. This vulnerability affects the function convPoolShapeInference_opset19 of the file onnx/defs/nn/old.cc of the component onnxruntime. This manipulation causes out-of-bounds read. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: a7bf3a0f1d18bb62575236ef6e4944980c40e045. It is recommended to apply a patch to fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
onnx onnx to 1.21.x (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14647 is a vulnerability in the ONNX framework affecting the convPoolShapeInference_opset19 function in the file onnx/defs/nn/old.cc. The issue arises when the convolution node's weight tensor has more spatial dimensions than the input tensor, and no explicit kernel_shape attribute is provided. In this case, kernel_shape is derived from the weight tensor, which can exceed the size of the dilations vector that corresponds to the input tensor's spatial rank. This mismatch causes an out-of-bounds read during shape inference, potentially leading to memory safety issues.

The vulnerability affects convolution, pooling, and ROI pooling operators by allowing heap buffer over-reads when tensor shapes and attributes are not properly validated. The root cause is insufficient validation of input tensor dimensions and operator attributes such as dilations, kernel_shape, pads, strides, output_shape, output_padding, and pooled_shape.

The issue has been fixed by increasing the minimum required dimensions for input tensors, adding strict validation checks for attribute sizes and values, replacing silent failures with explicit error messages, and refining output shape computations to handle negative values safely. These improvements make the shape inference process more robust and prevent invalid configurations from causing out-of-bounds memory access.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads during the shape inference phase of ONNX models, which may cause crashes or undefined behavior in applications using the ONNX runtime. Since the attack can be initiated remotely by providing specially crafted ONNX models, it poses a security risk to systems that process untrusted or external models.

Exploitation of this vulnerability could allow attackers to read sensitive memory areas, potentially leading to information disclosure or destabilization of the affected application. Although the CVSS base score indicates a moderate severity, the presence of a public exploit increases the risk.

Applying the provided patch is recommended to mitigate these risks by ensuring proper validation and preventing out-of-bounds reads.

Detection Guidance

This vulnerability can be detected by analyzing ONNX models that use convolution or pooling operators where the weight tensor's spatial rank exceeds the input tensor's spatial rank, especially if no explicit kernel_shape attribute is provided. A proof-of-concept ONNX model (255 bytes) exists to reproduce the issue.

Detection involves checking for malformed ONNX models that trigger out-of-bounds reads in the convPoolShapeInference_opset19 function within onnx/defs/nn/old.cc.

While no specific commands are provided in the resources, you can use tools like onnxruntime or onnx shape inference utilities to load and validate models. Running shape inference on suspicious models may trigger errors or crashes indicating the vulnerability.

  • Use onnxruntime or onnx shape inference tools to load and validate ONNX models.
  • Check for models where convolution or pooling operators have weight tensors with higher spatial rank than input tensors.
  • Attempt to run shape inference on models and observe for errors related to kernel_shape, dilations, or out-of-bounds accesses.
Mitigation Strategies

The primary mitigation step is to apply the patch identified by commit a7bf3a0f1d18bb62575236ef6e4944980c40e045 to the ONNX framework.

This patch improves validation checks in the shape inference code, ensuring that attributes like kernel_shape, dilations, pads, strides, and others are properly validated to prevent out-of-bounds reads.

Until the patch is applied, avoid processing untrusted or malformed ONNX models that could exploit this vulnerability.

  • Update ONNX to a version including the patch a7bf3a0f1d18bb62575236ef6e4944980c40e045 or later.
  • Validate all ONNX models before use, ensuring they conform to expected tensor shapes and attributes.
  • Restrict usage of ONNX models from untrusted sources until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14647. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart