Out-of-Bounds Write Vulnerability in Tencent's High-Performance Neural Network Framework
CVE-2026-50144

7.1HIGH

Key Information:

Vendor

Tencent

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-50144?

The ncnn framework, developed by Tencent, is susceptible to an out-of-bounds heap write vulnerability that arises when a malicious .param model file is loaded. Specifically, during the operation of the load_param() function within the ParamDict component, a flawed condition check permits negative parameter IDs to index into the params array, which can lead to unexpected behavior or memory corruption. This flaw was rectified in a subsequent commit, reinforcing the importance of validating parameter bounds in dynamic memory handling.

Affected Version(s)

ncnn < 5a0288f255daa6c3294f77109f67718e434ec020 < 5a0288f255daa6c3294f77109f67718e434ec020

ncnn <= 20260526 <= 20260526

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.