プラットフォーム
python
コンポーネント
onnx
修正版
1.21.1
1.21.0
CVE-2026-34446 describes an arbitrary file access vulnerability discovered in ONNX Runtime versions up to 1.9.0. This flaw arises from insufficient validation of hardlinks during file loading, allowing attackers to bypass intended security measures. The vulnerability poses a significant risk, particularly within AI supply chain environments like HuggingFace, where a malicious model could silently exfiltrate secrets. A fix is available in version 1.21.0.
The core of the vulnerability lies in the onnx.load function's failure to properly validate hardlinks. While the code checks for symbolic links to prevent path traversal, it completely overlooks hardlinks. Hardlinks, appearing as regular files on the filesystem, bypass all security checks within onnx/checker.cc because the validator only calls is_symlink() and doesn't inspect inode or link count. This allows an attacker to craft a malicious ONNX model containing a hardlink to a sensitive file on the victim's system. Upon loading this model, the attacker gains unauthorized access to the targeted file without triggering any alerts or security protections. The impact is particularly severe in AI supply chains, where a single compromised model can silently steal secrets from the victim's machine.
CVE-2026-34446 was published on 2026-04-01. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available. The vulnerability's impact within AI supply chains warrants close monitoring, as it could be exploited to compromise machine learning models and steal sensitive data.
Organizations heavily reliant on ONNX Runtime for machine learning inference, particularly those integrating models from external sources or using shared hosting environments, are at increased risk. Environments utilizing older versions of ONNX Runtime (≤1.9.0) are directly vulnerable. AI/ML development teams and DevOps engineers responsible for model deployment are key stakeholders.
• python / onnx:
import os
import onnx
def check_hardlink(filepath):
try:
st = os.stat(filepath)
if st.st_nlink > 1:
print(f"Potential hardlink detected: {filepath}")
except FileNotFoundError:
pass
# Example usage: Check a file path
check_hardlink('/path/to/your/onnx/model.onnx')• generic web: Inspect ONNX model files for unusual file paths or hardlink indicators using tools like ls -l or stat to check the link count.
disclosure
エクスプロイト状況
EPSS
0.01% (1% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-34446 is to upgrade to ONNX Runtime version 1.21.0 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict the sources of ONNX models loaded by your application to trusted providers only. Implement strict input validation on any user-provided data used in constructing ONNX models. Consider using a Web Application Firewall (WAF) or proxy to inspect incoming ONNX model files for suspicious patterns or hardlink structures. While a specific Sigma or YARA rule isn't readily available, monitoring for unusual file access patterns after loading ONNX models can provide early detection. After upgrading, confirm the fix by attempting to load a test ONNX model containing a hardlink to a known, non-sensitive file; it should be rejected.
Actualice la biblioteca ONNX a la versión 1.21.0 o superior. Esto corrige la vulnerabilidad de lectura arbitraria de archivos a través de la omisión de enlaces duros en ExternalData al cargar modelos ONNX.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-34446 is a vulnerability in ONNX Runtime versions up to 1.9.0 that allows attackers to access files through hardlink manipulation, bypassing security checks.
You are affected if you are using ONNX Runtime versions 1.9.0 or earlier. Upgrade to 1.21.0 or later to resolve the issue.
Upgrade to ONNX Runtime version 1.21.0 or later. As a temporary workaround, restrict model sources and implement strict input validation.
There is currently no evidence of active exploitation, but the vulnerability's potential impact warrants monitoring.
Refer to the official ONNX Runtime release notes and security advisories on the Microsoft GitHub repository for the latest information.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。