CVE-2026-50144: CWE-20: Improper Input Validation in Tencent ncnn
CVE-2026-50144 is a high-severity vulnerability in Tencent's ncnn neural network inference framework. It involves improper input validation in the load_param() function, which can lead to an out-of-bounds heap write when loading a malicious .param model file. The issue arises because the parameter ID check only verifies if the ID is greater than or equal to NCNN_MAX_PARAM_COUNT, allowing negative IDs to index before the parameter array. This vulnerability has been fixed in a later commit. The CVSS score is 7.1, indicating a high impact on integrity and availability with low attack complexity but requiring user interaction.
AI Analysis
Technical Summary
Tencent ncnn versions at commit e54f7b1f88434e1d844ea0551b880a1cfb079ce1 and earlier contain an out-of-bounds heap write vulnerability in the ncnn::ParamDict::load_param() function. The vulnerability occurs because the parameter ID parsed from a .param model file is only checked to ensure it is not greater than or equal to NCNN_MAX_PARAM_COUNT, but negative IDs are not blocked. This allows an attacker to cause a heap write before the params array, potentially leading to memory corruption. The issue is fixed by commit 5a0288f255daa6c3294f77109f67718e434ec020. The CVSS 3.1 vector indicates local attack vector, low complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, high integrity and availability impact.
Potential Impact
Successful exploitation of this vulnerability can lead to memory corruption via out-of-bounds heap writes, which may result in denial of service or arbitrary code execution affecting the integrity and availability of the system running the vulnerable ncnn version. There is no impact on confidentiality. The attack requires local access and user interaction.
Mitigation Recommendations
A fix is available and has been implemented in commit 5a0288f255daa6c3294f77109f67718e434ec020. Users should update ncnn to a version that includes this commit to remediate the vulnerability. Since no official vendor advisory or patch link is provided, verify the presence of this fix in your version control or official releases before deployment. Patch status is not yet confirmed via vendor advisory; check official Tencent ncnn sources for current remediation guidance.
CVE-2026-50144: CWE-20: Improper Input Validation in Tencent ncnn
Description
CVE-2026-50144 is a high-severity vulnerability in Tencent's ncnn neural network inference framework. It involves improper input validation in the load_param() function, which can lead to an out-of-bounds heap write when loading a malicious .param model file. The issue arises because the parameter ID check only verifies if the ID is greater than or equal to NCNN_MAX_PARAM_COUNT, allowing negative IDs to index before the parameter array. This vulnerability has been fixed in a later commit. The CVSS score is 7.1, indicating a high impact on integrity and availability with low attack complexity but requiring user interaction.
CVSS v3.1
Score 7.1high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tencent ncnn versions at commit e54f7b1f88434e1d844ea0551b880a1cfb079ce1 and earlier contain an out-of-bounds heap write vulnerability in the ncnn::ParamDict::load_param() function. The vulnerability occurs because the parameter ID parsed from a .param model file is only checked to ensure it is not greater than or equal to NCNN_MAX_PARAM_COUNT, but negative IDs are not blocked. This allows an attacker to cause a heap write before the params array, potentially leading to memory corruption. The issue is fixed by commit 5a0288f255daa6c3294f77109f67718e434ec020. The CVSS 3.1 vector indicates local attack vector, low complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, high integrity and availability impact.
Potential Impact
Successful exploitation of this vulnerability can lead to memory corruption via out-of-bounds heap writes, which may result in denial of service or arbitrary code execution affecting the integrity and availability of the system running the vulnerable ncnn version. There is no impact on confidentiality. The attack requires local access and user interaction.
Mitigation Recommendations
A fix is available and has been implemented in commit 5a0288f255daa6c3294f77109f67718e434ec020. Users should update ncnn to a version that includes this commit to remediate the vulnerability. Since no official vendor advisory or patch link is provided, verify the presence of this fix in your version control or official releases before deployment. Patch status is not yet confirmed via vendor advisory; check official Tencent ncnn sources for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-03T18:49:32.275Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a57eb0b68715ace4363c88d
Added to database: 07/15/2026, 20:18:19 UTC
Last enriched: 07/15/2026, 20:32:45 UTC
Last updated: 07/15/2026, 21:27:59 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.