PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44512 onnx CVE debrief

CVE-2026-44512 is a denial of service vulnerability in Open Neural Network Exchange (ONNX) versions from 1.9.0 before 1.22.0. The issue is caused by a null pointer dereference in the Upsample_6_7::adapt_upsample_6_7() function when processing an untrusted model with an Upsample node that has zero inputs. This vulnerability can lead to an unrecoverable denial of service. Users of affected versions should apply the patch to prevent denial of service attacks.

Vendor
onnx
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of Open Neural Network Exchange (ONNX) versions from 1.9.0 before 1.22.0 should apply the patch to prevent denial of service attacks. This includes operators, platform administrators, vulnerability management teams, and security teams who manage or use ONNX models.

Technical summary

The vulnerability exists in the onnx.version_converter.convert_version() function, specifically in the Upsample_6_7::adapt_upsample_6_7() function in onnx/version_converter/adapters/upsample_6_7.h. When processing an untrusted model with an Upsample node that has zero inputs, a null pointer dereference occurs, leading to an unrecoverable denial of service. This issue is fixed in version 1.22.0. The affected products using Open Neural Network Exchange (ONNX) versions from 1.9.0 before 1.22.0 should apply the patch to prevent denial of service attacks. Operators, platform administrators, vulnerability management teams, and security teams who manage or use ONNX models are advised to take necessary actions. Further verification of the CVE record and NVD entry is recommended to ensure accuracy.

Defensive priority

Medium priority due to the CVSS score of 5.5 and the potential for denial of service attacks.

Recommended defensive actions

  • Apply the patch by upgrading to ONNX version 1.22.0 or later.
  • Inventory and verify the version of ONNX in use.
  • Monitor for any suspicious activity related to ONNX models.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-08T20:16:49.913Z and last modified on 2026-07-10T19:03:20.407Z. The NVD entry is currently Undergoing Analysis. This information is based on the provided source corpus. Further verification is recommended to ensure accuracy.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:49.913Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.