CVE-2026-44512 in ONNX
Summary
by MITRE • 07/08/2026
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. From 1.9.0 before 1.22.0, onnx.version_converter.convert_version() can dereference a null pointer in Upsample_6_7::adapt_upsample_6_7() in onnx/version_converter/adapters/upsample_6_7.h when processing an untrusted model with an Upsample node that has zero inputs, causing an unrecoverable denial of service. This issue is fixed in version 1.22.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The Open Neural Network Exchange (ONNX) framework serves as a critical open standard enabling interoperability between different machine learning platforms through a common file format and execution engine. This vulnerability affects versions 1.9.0 through 1.21.9 of the ONNX library where the version_converter functionality fails to properly validate input parameters during model processing. The specific flaw occurs within the convert_version() function when handling Upsample nodes that have zero inputs, creating a null pointer dereference condition in the Upsample_6_7::adapt_upsample_6_7() method located in onnx/version_converter/adapters/upsample_6_7.h.
This technical vulnerability represents a classic null pointer dereference issue categorized under CWE-476 which occurs when a program attempts to access memory through a null pointer reference. The flaw manifests specifically during version conversion operations where the ONNX library processes untrusted machine learning models containing malformed Upsample nodes. When such nodes with zero inputs are encountered, the conversion logic fails to properly initialize or validate the necessary data structures before attempting to dereference pointers, leading to immediate program termination and denial of service conditions.
The operational impact of this vulnerability extends beyond simple service disruption as it affects any system utilizing ONNX version conversion capabilities for processing external or untrusted model files. Attackers could exploit this weakness by crafting malicious ONNX models containing specially constructed Upsample nodes with zero inputs, causing legitimate applications to crash when attempting to convert these models to different versions. This represents a significant security concern for machine learning platforms that accept user-uploaded models or perform automated version conversion processes, as it can be leveraged to create persistent denial of service conditions against critical inference services.
The vulnerability aligns with ATT&CK technique T1499.004 which involves network denial of service attacks through resource exhaustion or application crashes. Organizations implementing ONNX-based machine learning workflows should prioritize immediate remediation by upgrading to version 1.22.0 or later where the null pointer dereference has been properly addressed through enhanced input validation and proper initialization of data structures. Additional mitigations include implementing strict model validation procedures before processing untrusted inputs, deploying sandboxed environments for model conversion operations, and establishing monitoring systems to detect potential exploitation attempts targeting this specific vulnerability pathway.
This issue demonstrates the importance of proper null pointer validation in complex software frameworks handling external data inputs, particularly in machine learning ecosystems where model interoperability features must maintain robustness against malformed inputs. The fix implemented in version 1.22.0 likely includes enhanced input parameter checking and defensive programming practices that prevent the null pointer dereference condition from occurring during version conversion operations, thereby restoring service availability and preventing the denial of service scenario described in the vulnerability report.