Out of bounds read due to lack of string termination in assert
February 23, 2024
Products Impacted
This vulnerability is present in ONNX v1.1.0 up to and including v1.15.0.
CVSS Score: 3.3
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CWE Categorization
CWE-125: Out-of-bounds Read
Details
The vulnerability exists within the onnx/common/assertions.cc file, in the barf function. This is triggered when any assert fails and the resulting string is 2048 characters or longer.
std::string barf(const char* fmt, ...) {
char msg[2048];
va_list args;
va_start(args, fmt);
// Although vsnprintf might have vulnerability issue while using format string with overflowed length,
// it should be safe here to use fixed length for buffer "msg". No further checking is needed.
vsnprintf(msg, 2048, fmt, args);
va_end(args);
return std::string(msg);
}In the barf function, which is called by ONNX_ASSERT and ONNX_ASSERTM a buffer with 2048 bytes is allocated for the generated string. However, in the vsnprintf call 2048 bytes are copied to the buffer before turning the buffer into a string. This means that any strings 2048 bytes or longer will not have a null terminator. When the string is created the program will continue reading past the end of the buffer and will copy arbitrary program memory until a string terminator is reached.
Project URL
Patches
Related SAI Security Advisory
June 12, 2026
Post-Authentication RCE via update_collection
Any authenticated user with UPDATE_COLLECTION permission can achieve remote code execution by updating a collection's embedding function to reference a malicious HuggingFace model with trust_remote_code: true. The update_collection endpoint uses the same build_from_config() code path as CVE-2026-45829. Authentication runs before model loading, so this is not a pre-authentication issue, but the model instantiation itself is unguarded.
June 12, 2026
V1 API Tenant Isolation Bypass via Null Tenant/Database Context
All V1 collection-level endpoints pass None for tenant and database to the authorization layer, making tenant-scoped access control impossible through V1, regardless of which authorization provider is configured. V1 cannot be disabled. Combined with CVE-2026-45830, any authenticated user has unrestricted read/write access to any collection by UUID through V1 endpoints.