CRITICAL🇵🇱 Wersja polska

CVE-2024-36736

CVSS 9.8v3.1pub. 2024-06-06upd. 2025-03-25

An issue in the oneflow.permute component of OneFlow-Inc. Oneflow v0.9.1 causes an incorrect calculation when the same dimension operation is performed.

🤖 AI Analysis
How it works

The vulnerability (CWE-682 — incorrect calculation) is revealed in the oneflow.permute component during the execution of permutation operations on the same tensor dimension. When a user passes an operation concerning an identical dimension, the library performs incorrect calculations instead of properly handling such a case. A detailed proof-of-concept has been published in an external GitHub repository.

Impact

An attacker or unauthorized user can cause incorrect numerical computation results, which may result in data integrity violation in models or computational pipelines based on the OneFlow library. Depending on the application context, consequences may include malfunction of machine learning systems using this library.

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to check the availability of a newer version of the OneFlow library and monitor the official project repository for patch information.

Who is affected

OneFlow-Inc. Oneflow v0.9.1 — oneflow.permute component

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oneflow

    APP
    Oneflow
    0.9.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-65889HIGH7.5ten sam produkt

A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of ...

CVE-2025-65890HIGH7.5ten sam produkt

A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling f...

CVE-2025-65886HIGH7.5ten sam produkt

A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via suppl...

CVE-2025-65888HIGH7.5ten sam produkt

A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial ...

CVE-2025-65891HIGH7.5ten sam produkt

A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by inv...