Listen to this Post
CVE ID: CVE-2026-44512
– How CVE-2026-44512 Works
The Open Neural Network Exchange (ONNX) is a widely adopted open standard for machine learning interoperability, enabling models to be transferred between different frameworks. The `onnx.version_converter.convert_version()` function is a core utility that upgrades or downgrades model opset versions to maintain compatibility across toolchains. CVE-2026-44512 exposes a critical null pointer dereference vulnerability within the Upsample 6→7 version converter adapter, specifically in the `Upsample_6_7::adapt_upsample_6_7()` method defined in onnx/version_converter/adapters/upsample_6_7.h.
When `convert_version()` processes a model containing an Upsample node from opset 6, the adapter is invoked to transform it to opset 7. The adapter correctly validates the presence of the required `width_scale` and `height_scale` attributes using ONNX_ASSERTM. However, it fails to verify that the node has any input tensors before attempting to access them. The critical line `auto input_shape = node->inputs()
->sizes();` dereferences the first element of the `inputs()` array without checking its size. If an attacker crafts a model with an Upsample node that has zero inputs—a state that passes the graph import validation because the protobuf simply omits the input field—the `inputs()` array remains empty. In release builds compiled with <code>NDEBUG</code>, the bounds-check assertion in `ArrayRef` is compiled out, causing the code to read a garbage pointer from the out‑of‑bounds access and subsequently crash with a segmentation fault (SIGSEGV). In debug builds, the assertion triggers a SIGABRT. This vulnerability is part of a broader systemic issue within the ONNX version converter. A full audit of all ~45 adapters revealed that eight adapters suffered from the same class of unguarded indexed access: <code>cast_9_8</code>, <code>softmax_12_13</code>, <code>softmax_13_12</code>, <code>upsample_6_7</code>, <code>upsample_9_10</code>, <code>group_normalization_20_21</code>, <code>broadcast_forward_compatibility</code>, and <code>upsample_9_8</code>. The attack surface is particularly dangerous because any application that calls `convert_version()` on untrusted models—including model conversion pipelines, auto‑upgrade tools, and inference servers—can be forced into an unrecoverable denial‑of‑service state. A 107‑byte proof‑of‑concept model is sufficient to trigger the crash, making exploitation trivial for remote attackers who can trick victims into loading a malicious ONNX file. The issue has been addressed in version 1.22.0, where all affected adapters now perform explicit input count checks before dereferencing. <h2 style="color: blue;">DailyCVE Form:</h2> Platform: ONNX Version: 1.9.0‑1.21.x Vulnerability: Null pointer dereference Severity: Medium date: 2026‑07‑08 <h2 style="color: blue;">Prediction: Patch in 1.22.0</h2> <h2 style="color: blue;">What Undercode Say:</h2> <ul> <li>Analytics: 8 adapters affected; 107‑byte PoC; SIGSEGV crash; CVSS v4.0 score 5.3 (Medium); GitHub advisory published 2026‑07‑03.</li> <li>Bash Commands to Check Version: [bash] python3 -c "import onnx; print(onnx.<strong>version</strong>)"
python3 -c " import base64, onnx from onnx import version_converter poc = 'CAI6YQo8EgFZIghVcHNhbXBsZSoVCgt3aWR0aF9zY2FsZRUAAABAoAEBKhYKDGhlaWdodF9zY2FsZRUAAABAoAEBEgR0ZXN0YhsKAVkSFgoUCAESEAoCCAEKAggBCgIIBAoCCARCBAoAEAY=' model = onnx.load_from_string(base64.b64decode(poc)) version_converter.convert_version(model, 7) SIGSEGV "
grep -r "inputs()[0]" onnx/version_converter/adapters/.h | wc -l
Exploit:
An attacker crafts a malicious ONNX model containing an Upsample node (opset 6) with the required `width_scale` and `height_scale` attributes but zero input tensors. When the victim’s application calls `onnx.version_converter.convert_version(model, 7)` on this model, the `Upsample_6_7` adapter dereferences `node->inputs()[bash]` on an empty array, causing a segmentation fault (SIGSEGV) in release builds or a failed assertion (SIGABRT) in debug builds. The crash is unrecoverable and terminates the process, enabling a remote denial‑of‑service attack with no prior authentication or user interaction beyond opening the malicious file.
Protection:
- Upgrade to ONNX version 1.22.0 or later, which includes the fix from PR 7813 that adds explicit input count checks in all affected adapters.
- Validate all untrusted ONNX models before conversion using a schema validator that rejects nodes with zero inputs.
- Sandbox the version conversion process in a separate process or container to isolate crashes from the main application.
- Monitor for unusual model structures and apply input sanitization to ensure every node has at least one input tensor.
Impact:
- Denial of Service: Successful exploitation crashes the application, rendering model conversion pipelines, inference servers, and development tools unavailable.
- Remote Exploitation: An attacker can deliver a malicious ONNX model via email, web upload, or API endpoint, triggering the crash without user interaction (beyond loading the model).
- Widespread Exposure: Any system using ONNX version 1.9.0 through 1.21.x that calls `convert_version()` on untrusted input is vulnerable, including many CI/CD pipelines, model zoos, and cloud ML services.
- No Data Leakage: The vulnerability does not expose sensitive information or allow code execution; it is strictly a crash‑only denial‑of‑service flaw.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

