#1132606 onnx: CVE-2026-34445

Package:
src:onnx
Source:
src:onnx
Submitter:
Salvatore Bonaccorso
Date:
2026-05-13 02:47:43 UTC
Severity:
normal
Tags:
#1132606#5
Date:
2026-04-03 16:08:21 UTC
From:
To:
Hi,

The following vulnerability was published for onnx.

CVE-2026-34445[0]:
| Open Neural Network Exchange (ONNX) is an open standard for machine
| learning interoperability. Prior to version 1.21.0, the
| ExternalDataInfo class in ONNX was using Python’s setattr() function
| to load metadata (like file paths or data lengths) directly from an
| ONNX model file. It didn’t check if the "keys" in the file were
| valid. Due to this, an attacker could craft a malicious model that
| overwrites internal object properties. This issue has been patched
| in version 1.21.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-34445
https://www.cve.org/CVERecord?id=CVE-2026-34445
[1] https://github.com/onnx/onnx/pull/7751
[2] https://github.com/onnx/onnx/security/advisories/GHSA-538c-55jv-c5g9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore