LOW 3.6

CVE-2026-11329: Weak Hash in ONNX MLIR Node Cache Handler

CVE-2026-11329 is a low-severity weakness in ONNX MLIR's node cache handler that uses weak cryptographic hashing in the hash key generation function. The vulnerability requires local access and elevated privileges to exploit, making it a restricted-scope risk. An attacker with local user permissions could manipulate the hash mechanism to cause minor integrity issues or availability disruptions, but the attack is difficult to execute in practice and does not compromise confidentiality.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.6 LOW · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-327, CWE-328
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in onnx onnx-mlir up to 0.5.0.0. Affected by this issue is the function generate_hash_key of the file src/Runtime/python/torch_onnxmlir/src/torch_onnxmlir/backend.py of the component Placeholder Node Cache Handler. Such manipulation leads to use of weak hash. An attack has to be approached locally. A high complexity level is associated with this attack. The exploitation is known to be difficult. The name of the patch is 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4. Applying a patch is advised to resolve this issue.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the `generate_hash_key` function within `src/Runtime/python/torch_onnxmlir/src/torch_onnxmlir/backend.py`, which is part of ONNX MLIR's Placeholder Node Cache Handler. The function implements weak cryptographic hashing (CWE-327) and uses incorrect hash algorithms (CWE-328), allowing hash collisions or predictable cache key generation. ONNX MLIR versions up to 0.5.0.0 are affected. An attacker with local system access and user-level privileges can manipulate cache entries through hash collision or prediction, potentially corrupting model computation results or causing the runtime to fail integrity checks. The CVSS 3.1 score of 3.6 reflects the low attack vector (local only), high attack complexity, low privileges required, and minor impact on integrity and availability.

Business impact

For organizations deploying ONNX MLIR in shared compute environments or containerized systems, this vulnerability poses a risk of unauthorized model cache poisoning by co-located users. An attacker could alter cached model outputs without detection, leading to silent computational errors in machine learning pipelines. While the impact per-incident is limited to integrity and availability rather than data breach, the difficult-to-detect nature of cache manipulation could delay incident response. The risk is primarily relevant to multi-tenant machine learning platforms, research clusters, and shared GPU environments where untrusted local users may have system access.

Affected systems

ONNX MLIR versions up to and including 0.5.0.0 are affected. The vulnerability is specific to the Python runtime component (`torch_onnxmlir`) and impacts systems using ONNX MLIR for model inference, particularly those relying on the node cache optimization. Patched version information should be verified against the official ONNX MLIR release notes; the patch commit is identified as 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4.

Exploitability

Exploitation is rated as difficult and requires a high level of attack complexity. An attacker must have local system access and user-level privileges (not root). They must understand the cache key generation mechanism, craft a deliberate hash collision or prediction attack, and execute it during active model inference. The attack does not propagate remotely and offers no privilege escalation. No known public exploits or in-the-wild abuse have been reported, and the vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting the combination of restricted attack surface and high technical barriers.

Remediation

Update ONNX MLIR to a version released after 0.5.0.0 that includes cryptographic fixes to the hash key generation function. Verify the applied patch against commit 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4 in the official repository. Until patching is complete, restrict local system access to trusted users only, implement kernel-level access controls to isolate inference processes, and monitor cache hit/miss patterns for anomalies that might indicate tampering.

Patch guidance

Check the official ONNX MLIR GitHub repository for releases published after June 5, 2026, and verify inclusion of commit 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4. Patch priority is low but should be included in regular maintenance windows for any shared or multi-tenant deployment. Test the patch in a pre-production environment with representative model workloads to ensure cache behavior remains correct and performance is unaffected. Document the patch version in your ONNX MLIR inventory.

Detection guidance

Monitor for unexpected cache key collisions or repeated cache invalidation events in ONNX MLIR runtime logs. Implement file integrity monitoring on the `backend.py` module and related cache directories to detect unauthorized modifications. On multi-user systems, audit local user login sessions during the same time window as anomalous model inference results. Check process execution logs for unusual patterns of model inference requests that bypass cache or trigger frequent recomputation. Correlation of these signals may indicate active exploitation attempts.

Why prioritize this

This vulnerability merits low to medium priority in patch queues. While the CVSS score is low (3.6), the attack vector and complexity are restrictive, which aligns with the low severity rating. Prioritize patching for shared inference clusters, research HPC systems, and containerized ML platforms where local user isolation is imperfect. Organizations with single-tenant deployments or strict access controls can defer patching to the next scheduled maintenance cycle. Given the difficulty of exploitation, this should not displace critical or high-severity vulnerability remediation efforts.

Risk score, explained

The CVSS 3.1 score of 3.6 (LOW) is driven by the requirement for local access (AV:L), high attack complexity (AC:H), and the need for user-level privileges (PR:L). Although the vulnerability affects both integrity (I:L) and availability (A:L), the confluence of these constraints means real-world exploitation is unlikely. The vulnerability does not affect confidentiality. Organizations without multi-tenant or shared-access patterns face minimal risk. Even in higher-risk environments, the difficulty of exploitation relative to other attack vectors makes this a lower-priority remediation target.

Frequently asked questions

Can this vulnerability be exploited remotely or without user credentials?

No. CVE-2026-11329 requires local system access and user-level privileges. Remote attacks are not possible, and the attacker must be able to run code as a local user on the same system where ONNX MLIR is running.

What exactly does the weak hash enable an attacker to do?

The weak hashing in the node cache key generation allows an attacker to predict or engineer hash collisions. By doing so, they can cause the inference cache to return incorrect or poisoned model outputs for legitimate requests, without modifying the underlying model file. The attack is silent and difficult to detect.

Is there a CISA KEV entry or known public exploit for this vulnerability?

No. CVE-2026-11329 is not listed in the CISA Known Exploited Vulnerabilities catalog, and no public exploits have been disclosed. The high attack complexity and local-only requirement have kept this from becoming a widespread threat.

How does this affect container or cloud deployments?

In containerized environments, the risk depends on whether multiple untrusted users or workloads run in the same container. If ONNX MLIR containers enforce strong process isolation and run only trusted code, the exposure is minimal. However, shared GPU environments or Kubernetes clusters with weak network policies or container escape vectors could create exploitation windows.

This analysis is provided for informational purposes and is accurate as of the publication date. CVSS scores, affected version ranges, and patch identifiers are sourced from official vulnerability disclosures. Organizations should verify patch availability and compatibility against vendor advisories before deployment. This vulnerability has not been independently validated by SEC.co and exploitation complexity may vary based on specific deployment configurations. No exploit code or weaponized proof-of-concept is provided. Security teams should conduct their own risk assessment based on their infrastructure topology and threat model. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).