Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Exploitation needs a victim to load a malicious local model file, so AV:L and UI:R with PR:N; a heap-write corruption yields I:H/A:H but no disclosure, so C:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
ncnn is a high-performance neural network inference framework optimized for the mobile platform. In commit e54f7b1f88434e1d844ea0551b880a1cfb079ce1 and earlier, ncnn allows an out-of-bounds heap write in ncnn::ParamDict::load_param() when Net::load_param() loads a malicious .param model file because the parsed parameter id is checked only against id >= NCNN_MAX_PARAM_COUNT, allowing a negative id to index before the params[NCNN_MAX_PARAM_COUNT] array. This vulnerability is fixed by commit 5a0288f255daa6c3294f77109f67718e434ec020.
AnalysisAI
Out-of-bounds heap write in Tencent's ncnn neural-network inference framework allows a crafted .param model file to corrupt heap memory when parsed by Net::load_param(). Because ParamDict::load_param() and load_param_bin() validated the parsed parameter id only against the upper bound (id >= NCNN_MAX_PARAM_COUNT), a negative id indexes before the params[] array, giving an attacker a write primitive below the allocated buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to call Net::load_param() (or the binary load_param_bin path) on an attacker-controlled .param/.param.bin file whose parsed parameter id is negative - that specific malformed field IS the trigger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H, base 7.1) captures the profile well: the vector is local because exploitation requires the victim application to load an attacker-supplied model file (UI:R), not a remote network service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious .param model file containing a negative parameter id and delivers it to a victim who loads it through an ncnn-based application (for example a mobile app or ML tool that imports third-party models). When Net::load_param() parses the file, ParamDict::load_param() writes out of bounds below the params[] array, corrupting the heap and enabling denial of service or potentially further memory-corruption exploitation. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fix from commit 5a0288f255daa6c3294f77109f67718e434ec020 (https://github.com/Tencent/ncnn/commit/5a0288f255daa6c3294f77109f67718e434ec020), which adds a lower-bound 'id < 0' check to both load_param and load_param_bin, or upgrade to an ncnn release that includes it; consult the advisory at https://github.com/Tencent/ncnn/security/advisories/GHSA-jxmc-3mv6-7pwr for release guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and catalog all production systems using Tencent ncnn, flagging those processing model files from external or untrusted sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44794