VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 23, 2024· Updated Feb 13, 2025

CVE-2024-27319

CVE-2024-27319

Description

Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNX_ASSERT and ONNX_ASSERTM functions have an off by one string copy.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ONNX versions ≤1.15.0 are vulnerable to an out-of-bounds read due to an off-by-one error in string copy within ONNX_ASSERT and ONNX_ASSERTM macros.

Description

Versions of the ONNX package before and including 1.15.0 contain an out-of-bounds read vulnerability. The root cause is an off-by-one error in the ONNX_ASSERT and ONNX_ASSERTM macro functions, which perform an incorrect string copy operation that can read one byte beyond the intended buffer [1].

Exploitation

The vulnerability is triggered when the assertion macros handle string arguments. An attacker may be able to craft input that causes the macros to process a string in a way that reads adjacent memory. The exact attack vector requires further analysis, but typical use of ONNX involves loading or processing model data, which could provide a path for a malicious input to reach these macros [2] [3].

Impact

A successful exploit could lead to an out-of-bounds read, potentially exposing sensitive memory contents. This could facilitate information disclosure or serve as a stepping stone for more complex attacks. The CVSS score has not been assigned by NVD at this time [1].

Mitigation

Users should update to a patched version of ONNX beyond 1.15.0. The issue is fixed in subsequent releases. Users unable to upgrade can apply vendor-provided patches or restrict inputs from untrusted sources as a workaround. Fedora has also issued a security update for the affected package [4].

References
  1. NVD - CVE-2024-27319
  2. GitHub - onnx/onnx: Open standard for machine learning interoperability
  3. advisory-database/vulns/onnx/PYSEC-2024-223.yaml at main · pypa/advisory-database
  4. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
onnxPyPI
< 1.16.01.16.0

Affected products

3

Patches

1
08a399ba75a8

Fix Out of bounds read due to lack of string termination in assert (#5918)

https://github.com/onnx/onnxliqun FuFeb 9, 2024via ghsa
commit
1 file changed · +10 5
  • onnx/common/assertions.cc+10 5 modified
    @@ -9,6 +9,7 @@
 
 #include "onnx/common/assertions.h"
 
+#include <array>
 #include <cstdarg>
 #include <cstdio>
 
@@ -17,16 +18,20 @@
 namespace ONNX_NAMESPACE {
 
 std::string barf(const char* fmt, ...) {
-  char msg[2048];
+  constexpr size_t buffer_size = 2048;
+  std::array<char, buffer_size> msg{};
   va_list args;
 
   va_start(args, fmt);
-  // Although vsnprintf might have vulnerability issue while using format string with overflowed length,
-  // it should be safe here to use fixed length for buffer "msg". No further checking is needed.
-  vsnprintf(msg, 2048, fmt, args);
+
+  // use fixed length for buffer "msg" to avoid buffer overflow
+  vsnprintf(static_cast<char*>(msg.data()), msg.size() - 1, fmt, args);
+
+  // ensure null-terminated string to avoid out of bounds read
+  msg.back() = '\0';
   va_end(args);
 
-  return std::string(msg);
+  return std::string(msg.data());
 }
 
 void throw_assert_error(std::string& msg) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.