OpenVINO VariadicSplit allocation DoS PoC
This repository contains two valid OpenVINO IR XML/BIN model pairs that differ
only in the VariadicSplit input shape embedded in the model file.
Observed behavior with openvino==2026.2.1 under a 3 GiB address-space cap:
- control model:
read_model()succeedscompile_model()succeeds- inference succeeds with output shape
[2]
- malicious model:
read_model()succeedscompile_model()raisesRuntimeError: std::bad_alloc
Public repo:
- Repo:
https://huggingface.co/hacnho/openvino-variadic-split-allocation-dos-poc - Control XML:
https://huggingface.co/hacnho/openvino-variadic-split-allocation-dos-poc/resolve/main/control_variadic_split_2.xml - Control BIN:
https://huggingface.co/hacnho/openvino-variadic-split-allocation-dos-poc/resolve/main/control_variadic_split_2.bin - Malicious XML:
https://huggingface.co/hacnho/openvino-variadic-split-allocation-dos-poc/resolve/main/malicious_variadic_split_300m.xml - Malicious BIN:
https://huggingface.co/hacnho/openvino-variadic-split-allocation-dos-poc/resolve/main/malicious_variadic_split_300m.bin - Reproducer:
https://huggingface.co/hacnho/openvino-variadic-split-allocation-dos-poc/resolve/main/reproduce.py - Repo state at verification time:
private=false, commit<fill after upload>
Reproduction:
python3 build_poc.py
python3 reproduce.py
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support