oneflow CVE Vulnerabilities & Metrics

Focus on oneflow vulnerabilities and metrics.

Last updated: 15 Feb 2026, 23:25 UTC

About oneflow Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with oneflow. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total oneflow CVEs: 29
Earliest CVE date: 06 Jun 2024, 17:15 UTC
Latest CVE date: 29 Jan 2026, 16:16 UTC

Latest CVE reference: CVE-2025-71011

Rolling Stats

30-day Count (Rolling): 18
365-day Count (Rolling): 19

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 90.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 90.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical oneflow CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	29
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS oneflow CVEs

These are the five CVEs with the highest CVSS scores for oneflow, sorted by severity first and recency.

CVE-2025-71011 oneflow Published on 29 Jan 2026, 16:16 UTC (CVSS: 0)
An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-71009 oneflow Published on 29 Jan 2026, 15:16 UTC (CVSS: 0)
An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices.
CVE-2025-71008 oneflow Published on 29 Jan 2026, 15:16 UTC (CVSS: 0)
A segmentation violation in the oneflow._oneflow_internal.autograd.Function.FunctionCtx.mark_non_differentiable component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-71007 oneflow Published on 28 Jan 2026, 21:16 UTC (CVSS: 0)
An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-71006 oneflow Published on 28 Jan 2026, 21:16 UTC (CVSS: 0)
A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

All CVEs for oneflow

CVE-2025-71011 oneflow vulnerability CVSS: 0 29 Jan 2026, 16:16 UTC

An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71009 oneflow vulnerability CVSS: 0 29 Jan 2026, 15:16 UTC

An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices.

CVE-2025-71008 oneflow vulnerability CVSS: 0 29 Jan 2026, 15:16 UTC

A segmentation violation in the oneflow._oneflow_internal.autograd.Function.FunctionCtx.mark_non_differentiable component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71007 oneflow vulnerability CVSS: 0 28 Jan 2026, 21:16 UTC

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71006 oneflow vulnerability CVSS: 0 28 Jan 2026, 21:16 UTC

A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71005 oneflow vulnerability CVSS: 0 28 Jan 2026, 21:16 UTC

A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71004 oneflow vulnerability CVSS: 0 28 Jan 2026, 21:16 UTC

A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71003 oneflow vulnerability CVSS: 0 28 Jan 2026, 21:16 UTC

An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71002 oneflow vulnerability CVSS: 0 28 Jan 2026, 20:16 UTC

A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71001 oneflow vulnerability CVSS: 0 28 Jan 2026, 19:16 UTC

A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-71000 oneflow vulnerability CVSS: 0 28 Jan 2026, 18:16 UTC

An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-70999 oneflow vulnerability CVSS: 0 28 Jan 2026, 18:16 UTC

A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID.

CVE-2025-65891 oneflow vulnerability CVSS: 0 28 Jan 2026, 18:16 UTC

A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index.

CVE-2025-65890 oneflow vulnerability CVSS: 0 28 Jan 2026, 17:16 UTC

A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index.

CVE-2025-65889 oneflow vulnerability CVSS: 0 28 Jan 2026, 17:16 UTC

A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-65888 oneflow vulnerability CVSS: 0 28 Jan 2026, 17:16 UTC

A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value.

CVE-2025-65887 oneflow vulnerability CVSS: 0 28 Jan 2026, 17:16 UTC

A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.

CVE-2025-65886 oneflow vulnerability CVSS: 0 28 Jan 2026, 17:16 UTC

A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes.

CVE-2025-63397 oneflow vulnerability CVSS: 0 10 Nov 2025, 22:15 UTC

Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion.

CVE-2024-36740 oneflow vulnerability CVSS: 0 06 Jun 2024, 19:15 UTC

An issue in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) when index as a negative number exceeds the range of size.

CVE-2024-36735 oneflow vulnerability CVSS: 0 06 Jun 2024, 19:15 UTC

OneFlow-Inc. Oneflow v0.9.1 does not display an error or warning when the oneflow.eye parameter is floating.

CVE-2024-36734 oneflow vulnerability CVSS: 0 06 Jun 2024, 19:15 UTC

Improper input validation in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) via inputting a negative value into the dim parameter.

CVE-2024-36732 oneflow vulnerability CVSS: 0 06 Jun 2024, 19:15 UTC

An issue in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) when an empty array is processed with oneflow.tensordot.

CVE-2024-36730 oneflow vulnerability CVSS: 0 06 Jun 2024, 19:15 UTC

Improper input validation in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) via inputting negative values into the oneflow.zeros/ones parameter.

CVE-2024-36745 oneflow vulnerability CVSS: 0 06 Jun 2024, 18:15 UTC

An issue in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) via inputting a negative value into the oneflow.index_select parameter.

CVE-2024-36743 oneflow vulnerability CVSS: 0 06 Jun 2024, 18:15 UTC

An issue in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) when an empty array is processed with oneflow.dot.

CVE-2024-36737 oneflow vulnerability CVSS: 0 06 Jun 2024, 18:15 UTC

Improper input validation in OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) via inputting a negative value into the oneflow.full parameter.

CVE-2024-36736 oneflow vulnerability CVSS: 0 06 Jun 2024, 18:15 UTC

An issue in the oneflow.permute component of OneFlow-Inc. Oneflow v0.9.1 causes an incorrect calculation when the same dimension operation is performed.

CVE-2024-36742 oneflow vulnerability CVSS: 0 06 Jun 2024, 17:15 UTC

An issue in the oneflow.scatter_nd parameter OneFlow-Inc. Oneflow v0.9.1 allows attackers to cause a Denial of Service (DoS) when index parameter exceeds the range of shape.