Primary

Context

OneFlow GPU Device-ID Validation Vulnerability Leading to Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in OneFlow version 0.9.0. The issue arises in the 'flow.cuda.get_device_capability()' component, where an invalid GPU device ID can be used to cause a crash. This occurs because the 'cudaSetDevice()' function fails when presented with an invalid device ordinal, leading to an application abort and a core dump.

Impact

Exploitation of this vulnerability causes the application to crash, aborting the process and generating a core dump.

Reproduction

The vulnerability can be reproduced by calling the 'flow.cuda.get_device_capability()' function with an invalid device ID, such as 5, which exceeds the range of available device IDs. This will trigger a failure in the 'cudaSetDevice()' call, resulting in a crash and a core dump.

Added: Jan 28, 2026, 6:30 PM

Updated: Jan 28, 2026, 6:30 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

2.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.6

remediation

0.0

relevance

2.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OneFlow GPU Device-ID Validation Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Reproduction

Affected Products

OneFlow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating