2454371 – (CVE-2026-34446) CVE-2026-34446 onnx: ONNX: Information disclosure through hardlink path traversal

Bug 2454371 (CVE-2026-34446) - CVE-2026-34446 onnx: ONNX: Information disclosure through hardlink path traversal

Summary: CVE-2026-34446 onnx: ONNX: Information disclosure through hardlink path trave...

Keywords:
Status:	NEW
Alias:	CVE-2026-34446
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2454675 2454676
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-02 15:01 UTC by OSIDB Bzimport
Modified:	2026-04-02 21:30 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-02 15:01:18 UTC

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.

Note You need to log in before you can comment on or make changes to this bug.