ONNX, Null Pointer Dereference, CVE-2026-44512 (Medium) -DC-Jul2026-946

Listen to this Post

CVE ID: CVE-2026-44512

– How CVE-2026-44512 Works

The Open Neural Network Exchange (ONNX) is a widely adopted open standard for machine learning interoperability, enabling models to be transferred between different frameworks. The `onnx.version_converter.convert_version()` function is a core utility that upgrades or downgrades model opset versions to maintain compatibility across toolchains. CVE-2026-44512 exposes a critical null pointer dereference vulnerability within the Upsample 6→7 version converter adapter, specifically in the `Upsample_6_7::adapt_upsample_6_7()` method defined in onnx/version_converter/adapters/upsample_6_7.h.
When `convert_version()` processes a model containing an Upsample node from opset 6, the adapter is invoked to transform it to opset 7. The adapter correctly validates the presence of the required `width_scale` and `height_scale` attributes using ONNX_ASSERTM. However, it fails to verify that the node has any input tensors before attempting to access them. The critical line `auto input_shape = node->inputs()

->sizes();` dereferences the first element of the `inputs()` array without checking its size. If an attacker crafts a model with an Upsample node that has zero inputs—a state that passes the graph import validation because the protobuf simply omits the input field—the `inputs()` array remains empty. In release builds compiled with <code>NDEBUG</code>, the bounds-check assertion in `ArrayRef` is compiled out, causing the code to read a garbage pointer from the out‑of‑bounds access and subsequently crash with a segmentation fault (SIGSEGV). In debug builds, the assertion triggers a SIGABRT.
This vulnerability is part of a broader systemic issue within the ONNX version converter. A full audit of all ~45 adapters revealed that eight adapters suffered from the same class of unguarded indexed access: <code>cast_9_8</code>, <code>softmax_12_13</code>, <code>softmax_13_12</code>, <code>upsample_6_7</code>, <code>upsample_9_10</code>, <code>group_normalization_20_21</code>, <code>broadcast_forward_compatibility</code>, and <code>upsample_9_8</code>. The attack surface is particularly dangerous because any application that calls `convert_version()` on untrusted models—including model conversion pipelines, auto‑upgrade tools, and inference servers—can be forced into an unrecoverable denial‑of‑service state. A 107‑byte proof‑of‑concept model is sufficient to trigger the crash, making exploitation trivial for remote attackers who can trick victims into loading a malicious ONNX file. The issue has been addressed in version 1.22.0, where all affected adapters now perform explicit input count checks before dereferencing.

<h2 style="color: blue;">DailyCVE Form:</h2>

Platform: ONNX
Version: 1.9.0‑1.21.x
Vulnerability: Null pointer dereference
Severity: Medium
date: 2026‑07‑08

<h2 style="color: blue;">Prediction: Patch in 1.22.0</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

<ul>
<li>Analytics: 8 adapters affected; 107‑byte PoC; SIGSEGV crash; CVSS v4.0 score 5.3 (Medium); GitHub advisory published 2026‑07‑03.</li>
<li>Bash Commands to Check Version:
[bash]
python3 -c "import onnx; print(onnx.<strong>version</strong>)"
  • Reproduce Crash (PoC):
    python3 -c "
    import base64, onnx
    from onnx import version_converter
    poc = 'CAI6YQo8EgFZIghVcHNhbXBsZSoVCgt3aWR0aF9zY2FsZRUAAABAoAEBKhYKDGhlaWdodF9zY2FsZRUAAABAoAEBEgR0ZXN0YhsKAVkSFgoUCAESEAoCCAEKAggBCgIIBAoCCARCBAoAEAY='
    model = onnx.load_from_string(base64.b64decode(poc))
    version_converter.convert_version(model, 7) SIGSEGV
    "
    
  • List Affected Adapters:
    grep -r "inputs()[0]" onnx/version_converter/adapters/.h | wc -l
    
  • Exploit:

    An attacker crafts a malicious ONNX model containing an Upsample node (opset 6) with the required `width_scale` and `height_scale` attributes but zero input tensors. When the victim’s application calls `onnx.version_converter.convert_version(model, 7)` on this model, the `Upsample_6_7` adapter dereferences `node->inputs()[bash]` on an empty array, causing a segmentation fault (SIGSEGV) in release builds or a failed assertion (SIGABRT) in debug builds. The crash is unrecoverable and terminates the process, enabling a remote denial‑of‑service attack with no prior authentication or user interaction beyond opening the malicious file.

    Protection:

    • Upgrade to ONNX version 1.22.0 or later, which includes the fix from PR 7813 that adds explicit input count checks in all affected adapters.
    • Validate all untrusted ONNX models before conversion using a schema validator that rejects nodes with zero inputs.
    • Sandbox the version conversion process in a separate process or container to isolate crashes from the main application.
    • Monitor for unusual model structures and apply input sanitization to ensure every node has at least one input tensor.

    Impact:

    • Denial of Service: Successful exploitation crashes the application, rendering model conversion pipelines, inference servers, and development tools unavailable.
    • Remote Exploitation: An attacker can deliver a malicious ONNX model via email, web upload, or API endpoint, triggering the crash without user interaction (beyond loading the model).
    • Widespread Exposure: Any system using ONNX version 1.9.0 through 1.21.x that calls `convert_version()` on untrusted input is vulnerable, including many CI/CD pipelines, model zoos, and cloud ML services.
    • No Data Leakage: The vulnerability does not expose sensitive information or allow code execution; it is strictly a crash‑only denial‑of‑service flaw.

    🎯Let’s Practice Exploiting & Learn Patching For Free:

    🎓 Live Courses & Certifications:

    Join Undercode Academy for Verified Certifications

    🚀 Request a Custom Project:

    Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
    [email protected]
    💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

    Sources:

    Reported By: nvd.nist.gov
    Extra Source Hub:
    Undercode

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow DailyCVE & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

    Scroll to Top