Banked from cycle269 ONNX (onnx/onnx 1.23.0) Phase-0 = WALK. The 2nd huntr Model-File-Formats target walked (after Keras saturated). Methodology + lane-level finding.
The fresh 2026 CVE cluster (34446 hardlink, 27489/34447 symlink, traversal, save_external_data TOCTOU) was my prime incomplete-fix hypothesis. It FAILS: ONNX did a CLASS-SWEEP, not a narrow point-fix. Every resolution site is guarded:
- C++ checker.cc _open_external_data (the load resolver, where the symlink/hardlink fixes live): std::filesystem::weakly_canonical + base-containment (canonical_data.find(base_str)!=0 -> fail), .. rejection (1246/1301), symlink rejection incl parent-dir + Windows reparse points (1259/1267/1341-1347), HARDLINK rejection via st_nlink>1 (1279-1286). Comprehensive.
- Python external_data_helper.py: the GHSA-538c 3-layer defense (attribute whitelist + offset/length bounds + file-size validation); load delegates path resolution entirely to the C++ guarded _open_external_data_fd.
- Python tar (utils.py _tar_members_filter): commonpath traversal check + member.issym() OR member.islnk() (blocks BOTH symlinks AND hardlinks) + the Py3.12 filter="data" path.
- model_container.py: load via the same C++ guard; save _clean_name strips :/\;,! (collapses ../ to a flat filename - no traversal).
So no Python OR C++ sibling remains. Disclosure-gate: PR #7617 (merged, "Harden resolve_external_data_location against symlink attacks") + issue #8081 OPEN "[RFC] Security threat model & triage policy" = active comprehensive security process. SWEPT + actively-triaged = WALK.
The incomplete-fix/cross-fork-portlag vein pays ONLY on POINT-FIXERS (narrow fix -> sibling survives). It WALKS on SWEEPERS (comprehensive class-sweep). When a target has a CLUSTER of recent CVEs in one class (ONNX: 4+ external-data CVEs in 2026), read the FIX SCOPE first: a comprehensive sweep (canonicalize+containment+symlink+hardlink+..+Windows-reparse, across C++ AND Python AND tar) = the maintainer SWEPT -> WALK the incomplete-fix vein. A cluster does NOT mean "more siblings"; it often means "the maintainer got serious and swept the whole class." (Same lesson as PraisonAI cycle - N-CVEs-in-a-batch can be a class-sweep, not sloppiness.)
2/2 targets walked: Keras (deser-RCE SATURATED - active huntr-report triage backlog #23055) + ONNX (external-data SWEPT - threat-model RFC #8081). PATTERN: the famous $4000 Model-File-Formats campaign targets are FAMOUS precisely because researchers swarmed them -> the easy bugs are gone + the maintainers swept/are-actively-triaging. CVE-richness CORRELATES with saturation (the CVE-rich targets = the swept ones). The "freshest CVE cluster = prime incomplete-fix" heuristic INVERTS here: a fresh cluster on a famous target = a recent SWEEP, not fresh siblings. - The QUIETER formats (Joblib, SafeTensors, GGUF) have FEWER recent CVEs = less-mined, BUT are off-strength: Joblib = pickle-by-design (won't-fix RCE), SafeTensors = designed-safe (Rust parser-bug surface only), GGUF = C++ memory-corruption (crash-PoC, not Python incomplete-fix). - HIGHEST-EV huntr-cash move for OUR strength (Python incomplete-fix) = a NICHE AI/ML APP with a recent POINT-fix CVE (the lollms/Bisheng-win profile), NOT the famous swept formats. Saturation is popularity-driven (banked); niche apps hit, famous formats walk. Related: [[2026-06-21-cycle269-keras-model-load-saturated-disclosure-gate]], the sweeper-vs-point-fixer predictor, SATURATION-IS-POPULARITY-DRIVEN, [[feedback_cross_fork_portlag_primitive]].