Upstream information
Description
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CVSS detail | CNA (GitHub) | National Vulnerability Database |
|---|---|---|
| Base Score | 4.7 | 5.5 |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| Attack Vector | Local | Local |
| Attack Complexity | High | Low |
| Privileges Required | None | None |
| User Interaction | Required | Required |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | High | High |
| Integrity Impact | None | None |
| Availability Impact | None | None |
| CVSSv3 Version | 3.1 | 3.1 |
SUSE Timeline for this CVE
CVE page created: Wed Apr 1 21:01:27 2026CVE page last modified: Thu Apr 16 14:57:56 2026