Primary

Context

OneFlow Denial-of-Service Vulnerability via Invalid GPU Device Index

Vulnerability

A denial-of-service vulnerability has been identified in OneFlow version 0.9.0. The issue arises from a device-ID validation flaw that allows attackers to cause a crash by calling the 'flow.cuda.synchronize()' function with an invalid or out-of-range GPU device index. This leads to a failure in the 'cudaSetDevice()' call, causing the application to abort and generate a core dump.

Impact

Exploiting this vulnerability leads to a crash of the OneFlow application, accompanied by a core dump.

Reproduction

The vulnerability can be reproduced by calling 'flow.cuda.synchronize()' with an invalid GPU device index, such as 5, when the maximum available device index is lower. This will trigger a failure in setting the device, causing the application to crash.

Added: Jan 28, 2026, 5:21 PM

Updated: Jan 28, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OneFlow Denial-of-Service Vulnerability via Invalid GPU Device Index

Vulnerability

Impact

Reproduction

Affected Products

OneFlow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating