VYPR
← All advisories
Low severity3.6NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-11329

CVE-2026-11329

Description

A cache key collision vulnerability in onnx-mlir allows local attackers to cause incorrect inference by reusing compiled models with different data types.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cache key collision vulnerability in onnx-mlir allows local attackers to cause incorrect inference by reusing compiled models with different data types.

Vulnerability

A vulnerability exists in the generate_hash_key function within src/Runtime/python/torch_onnxmlir/src/torch_onnxmlir/backend.py in onnx-onnx-mlir up to version 0.5.0.0. The lightweight hashing mechanism for placeholder nodes incorrectly omits the data type (dtype) from the cache key, only considering the shape. This can lead to cache key collisions for models with identical structures and shapes but different dtypes [2].

Exploitation

An attacker with local access can exploit this vulnerability by creating two models with the same structure and shape but different dtypes (e.g., float32 and float64). When the second model is processed, it may incorrectly reuse the compiled shared object (.so) file generated for the first model due to the identical cache key, leading to wrong inference results without any error or warning [2, 3]. The exploitation is known to be difficult and requires a high level of complexity [Description].

Impact

Successful exploitation results in incorrect inference outputs for machine learning models. This occurs because a model with a different dtype might silently use the compiled code intended for a model with a different dtype, leading to unpredictable and erroneous results. The scope of the compromise is limited to the inference process of the affected models within the local environment [2, 3].

Mitigation

The issue is resolved by applying the patch identified by commit 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4, which includes the dtype in the lightweight hash for placeholder nodes [3]. The affected versions are up to 0.5.0.0. No specific patch release version or date is mentioned in the available references, but applying the patch is advised [Description].

References
  1. Include dtype in lightweight hash for placeholder nodes by 3em0 · Pull Request #3427 · onnx/onnx-mlir
  2. Include dtype in lightweight hash for placeholder nodes (#3427) · onnx/onnx-mlir@72c5187

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Onnx/Onnx Mlirreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=0.5.0.0

Patches

1
72c5187ff6d1

Include dtype in lightweight hash for placeholder nodes (#3427)

https://github.com/onnx/onnx-mlir3em0Mar 30, 2026via nvd-ref
commitPR #3427
1 file changed · +2 1
  • src/Runtime/python/torch_onnxmlir/src/torch_onnxmlir/backend.py+2 1 modified
    @@ -202,8 +202,9 @@ def generate_hash_key(
                         else:
                             shape.append(s)
                     shape_str = ",".join(shape)
+                    dtype = node.meta["example_value"].dtype
                     node_info.append(
-                        f"om_placeholder_{placeholder_counter}_[{shape_str}]"
+                        f"om_placeholder_{placeholder_counter}_[{shape_str}]_{dtype}"
                     )
                 else:
                     node_info.append(f"om_placeholder_{placeholder_counter}")

Vulnerability mechanics

Root cause

"The placeholder node cache key generation did not include the data type, leading to cache collisions."

Attack vector

An attacker must have local access to the system running the vulnerable code. The vulnerability is triggered when generating a hash key for placeholder nodes within the Placeholder Node Cache Handler. The complexity of exploiting this issue is high, making it difficult to achieve. The attack involves manipulating the cache key generation process to cause incorrect cache lookups.

Affected code

The vulnerability resides in the `generate_hash_key` function located in the file `src/Runtime/python/torch_onnxmlir/src/torch_onnxmlir/backend.py`. This function is part of the Placeholder Node Cache Handler component.

What the fix does

The patch modifies the `generate_hash_key` function to include the data type (dtype) in the cache key for placeholder nodes. Previously, only the shape was included. By adding the dtype, models with the same structure and shape but different data types will now generate distinct cache keys. This prevents the incorrect reuse of compiled shared objects (.so files) and resolves silent inference errors.

Preconditions

  • inputLocal access to the system.

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.