CVE-2026-34445

Name of the Vulnerable Software and Affected Versions ONNX versions prior to 1.21.0

Description The ExternalDataInfo class in ONNX used Python’s setattr() function to load metadata from ONNX model files without validating the keys. This allowed an attacker to craft a malicious model that could overwrite internal object properties. Exploitation could lead to a denial-of-service (DoS) condition by causing excessive memory allocation, access bypass by reading unintended file parts, or object corruption through the injection of dunder attributes.

Recommendations Update to ONNX version 1.21.0 or later.