PT-2026-56215 · Pypi · Onnx
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-44512
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
Summary
Null pointer dereference (SIGSEGV) in
Upsample 6 7::adapt upsample 6 7() (onnx/version converter/adapters/upsample 6 7.h:31) when convert version() processes a model with an Upsample node that has zero inputs. The adapter accesses node->inputs()[0]->sizes() without checking input count. 107-byte PoC crashes on Release build.This is the same class of bug as the Cast adapter advisory (separate report) but in a different adapter, different file, and different operator.
Details
The Upsample 6→7 adapter validates attributes but not inputs:
cpp
// upsample 6 7.h:20-33
void adapt upsample 6 7(..., Node* node) const {
ONNX ASSERTM(
node->hasAttribute(width scale symbol) && node->hasAttribute(height scale symbol),
"...") // Attribute check PASSES
auto width scale = node->f(width scale symbol);
auto height scale = node->f(height scale symbol);
auto input shape = node->inputs()[0]->sizes();
// ^^^^^^^^^^^^^^^^^^^^
// OOB when inputs().size() == 0 → SIGSEGV
}The PoC has an Upsample node at opset 6 with the required
width scale and height scale attributes but zero inputs. The attribute assertions pass, then node->inputs()[0] on an empty ArrayRef:- Release builds (
NDEBUG): bounds-check assertion compiled out → reads garbage pointer → SIGSEGV - Debug builds:
assert(Index < Length)atarray ref.h:159→ SIGABRT
An Upsample node with zero inputs passes
graphProtoToGraph() because the import code only resolves input names present in the protobuf.PoC
python
import base64
import onnx
from onnx import version converter
poc b64 = "CAI6YQo8EgFZIghVcHNhbXBsZSoVCgt3aWR0aF9zY2FsZRUAAABAoAEBKhYKDGhlaWdodF9zY2FsZRUAAABAoAEBEgR0ZXN0YhsKAVkSFgoUCAESEAoCCAEKAggBCgIIBAoCCARCBAoAEAY="
model = onnx.load from string(base64.b64decode(poc b64))
# CRASHES — Upsample 6 7 adapter dereferences empty inputs array
version converter.convert version(model, 7) # SIGSEGV107-byte PoC. Confirmed SIGSEGV on both onnx 1.21.0 (pip) and 1.22.0 (source build).
Impact
Any application that uses
onnx.version converter.convert version() on untrusted models is vulnerable. This includes model conversion pipelines and tools that auto-upgrade opset versions for compatibility. The crash is unrecoverable (SIGSEGV).This vulnerability is part of a systemic pattern across multiple version converter adapters. A full audit of all ~45 adapters was performed as part of the fix; eight adapters were found with the same class of unguarded indexed access (cast 9 8, softmax 12 13, softmax 13 12, upsample 6 7, upsample 9 10, group normalization 20 21, broadcast forward compatibility, upsample 9 8) and all have been fixed in PR #7813.
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Onnx