CVE-2026-14647: A weakness has been identified in onnx up to 1.21.x. This vulnerability affects the function convPoolShapeInference_opse
mediumvulnerability
security
Summary
A weakness was found in ONNX (a software format for AI models) versions up to 1.21.x that allows an out-of-bounds read (accessing memory outside the intended area). The vulnerability is in a function called convPoolShapeInference_opset19 and can be attacked remotely by someone with login access, though the attack code is now public.
Solution / Mitigation
Apply patch a7bf3a0f1d18bb62575236ef6e4944980c40e045, available at https://github.com/onnx/onnx/commit/a7bf3a0f1d18bb62575236ef6e4944980c40e045.
Vulnerability Details
CVSS Score
4.3(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
July 4, 2026
Classification
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
AI Component TargetedFramework
Affected Vendors
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-14647
First tracked: July 5, 2026 at 02:07 AM
Classified by LLM (prompt v3) · confidence: 85%