Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-2121

NIXPKGS-2026-2121
published 2 hours ago
ONNX: Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs)
Permalink CVE-2026-44512
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    39 packages
    • onnxruntime
    • sherpa-onnx
    • pkgsRocm.onnxruntime
    • pkgsRocm.sherpa-onnx
    • python313Packages.onnx
    • python314Packages.onnx
    • python313Packages.onnx-ir
    • python313Packages.tf2onnx
    • python314Packages.onnx-ir
    • python313Packages.onnx-asr
    • python313Packages.onnxslim
    • python313Packages.skl2onnx
    • python314Packages.onnx-asr
    • python314Packages.onnxslim
    • python314Packages.skl2onnx
    • python313Packages.onnxscript
    • python314Packages.onnxscript
    • python313Packages.onnxmltools
    • python313Packages.onnxruntime
    • python313Packages.sherpa-onnx
    • python314Packages.onnxmltools
    • python314Packages.onnxruntime
    • python314Packages.sherpa-onnx
    • python313Packages.optimum-onnx
    • python314Packages.optimum-onnx
    • pkgsRocm.python3Packages.onnx-ir
    • pkgsRocm.python3Packages.tf2onnx
    • pkgsRocm.python3Packages.onnx-asr
    • pkgsRocm.python3Packages.onnxscript
    • python313Packages.onnxruntime-tools
    • python314Packages.onnxruntime-tools
    • pkgsRocm.python3Packages.onnxruntime
    • pkgsRocm.python3Packages.sherpa-onnx
    • pkgsRocm.python3Packages.optimum-onnx
    • python313Packages.onnxconverter-common
    • python313Packages.rapidocr-onnxruntime
    • python314Packages.onnxconverter-common
    • python314Packages.rapidocr-onnxruntime
    • pkgsRocm.python3Packages.rapidocr-onnxruntime
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
ONNX: Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs)

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. From 1.9.0 before 1.22.0, onnx.version_converter.convert_version() can dereference a null pointer in Upsample_6_7::adapt_upsample_6_7() in onnx/version_converter/adapters/upsample_6_7.h when processing an untrusted model with an Upsample node that has zero inputs, causing an unrecoverable denial of service. This issue is fixed in version 1.22.0.

Affected products

onnx
  • ==>= 1.9.0, < 1.22.0

Matching in nixpkgs

Ignored packages (39)

pkgs.sherpa-onnx

Speech-to-text, text-to-speech, and speaker recognition using next-gen Kaldi with onnxruntime

Package maintainers