Out-of-Bounds Write Vulnerability in Tencent's High-Performance Neural Network Framework
CVE-2026-50144
7.1HIGH
What is CVE-2026-50144?
The ncnn framework, developed by Tencent, is susceptible to an out-of-bounds heap write vulnerability that arises when a malicious .param model file is loaded. Specifically, during the operation of the load_param() function within the ParamDict component, a flawed condition check permits negative parameter IDs to index into the params array, which can lead to unexpected behavior or memory corruption. This flaw was rectified in a subsequent commit, reinforcing the importance of validating parameter bounds in dynamic memory handling.
Affected Version(s)
ncnn < 5a0288f255daa6c3294f77109f67718e434ec020 < 5a0288f255daa6c3294f77109f67718e434ec020
ncnn <= 20260526 <= 20260526
