🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-14647 is an out-of-bounds memory access vulnerability in ONNX Runtime, Microsoft’s open-source machine learning inference engine, specifically within the convPoolShapeInference_opset19 function in old.cc. This type of memory corruption flaw can potentially be exploited to crash an application or, in more severe scenarios, execute arbitrary code. It is particularly relevant to organisations using ONNX Runtime for AI/ML inference workloads on Azure or in containerised cloud environments.

Security Architect’s Take: Audit any Azure ML, Azure AI Services, or self-hosted ONNX Runtime deployments and apply the patched version of onnxruntime as soon as Microsoft publishes a fix. In the interim, consider restricting untrusted model inputs and isolating inference workloads within sandboxed environments to limit blast radius.

Original advisory: CVE-2026-14647 onnx onnxruntime old.cc convPoolShapeInference_opset19 out-of-bounds