CVE-2025-71000 – A vulnerability in OneFlow v0.9.0's flow.cuda.B... (How to Fix)

Q: What is the severity of CVE-2025-71000?

CVE-2025-71000 has a CVSS score of 7.5 (HIGH). A vulnerability in OneFlow v0.9.0's flow.cuda.BoolTensor component allows attackers to cause Denial of Service (DoS) by sending specially crafted input. This affects systems running OneFlow with CUDA support enabled. The vulnerability can crash the application or service using this component.

📋 TL;DR

A vulnerability in OneFlow v0.9.0's flow.cuda.BoolTensor component allows attackers to cause Denial of Service (DoS) by sending specially crafted input. This affects systems running OneFlow with CUDA support enabled. The vulnerability can crash the application or service using this component.

💻 Affected Systems

Products:

OneFlow

Versions: v0.9.0

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CUDA support enabled and usage of flow.cuda.BoolTensor component.

📦 What is this software?

Oneflow by Oneflow

View all CVEs affecting Oneflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption causing extended downtime for applications relying on OneFlow's CUDA tensor operations.

🟠

Likely Case

Application crashes or hangs when processing malicious input through the vulnerable component.

🟢

If Mitigated

Limited impact with proper input validation and monitoring in place.

🌐 Internet-Facing: MEDIUM - Exploitable if the vulnerable component processes external input, but requires specific CUDA tensor operations.

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or through compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-400 indicates unconstrained resource consumption, suggesting relatively simple exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/Oneflow-Inc/oneflow/issues/10659

Restart Required: Yes

Instructions:

1. Monitor the GitHub issue for patch release. 2. Upgrade to patched version when available. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for flow.cuda.BoolTensor operations

Disable CUDA Support

all

Temporarily disable CUDA tensor operations if not required

🧯 If You Can't Patch

Implement network segmentation to isolate systems running vulnerable OneFlow versions
Deploy monitoring for abnormal resource consumption in CUDA tensor operations

🔍 How to Verify

Check if Vulnerable:

Check if running OneFlow v0.9.0 with CUDA support enabled and using flow.cuda.BoolTensor

Check Version:

python -c "import oneflow; print(oneflow.__version__)"

Verify Fix Applied:

Verify upgrade to patched version and test CUDA BoolTensor operations with various inputs

📡 Detection & Monitoring

Log Indicators:

Application crashes
High CPU/GPU usage spikes
CUDA error messages

Network Indicators:

Unusual input patterns to tensor processing endpoints

SIEM Query:

source="application.log" AND ("crash" OR "segfault" OR "CUDA error") AND "oneflow"

📊 Metadata

CVE ID: CVE-2025-71000

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.05% exploit probability (13.9th percentile)

Published: January 28, 2026

Last Updated: February 3, 2026

🔗 References

http://oneflow.com Product
https://github.com/Daisy2ang Not Applicable
https://github.com/Oneflow-Inc/oneflow/issues/10659 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-71000, you might also want to check these: